Fix a double rtfree(9) triggered when IPSEC inserts a more specific

route because of PMTU.

otto@ reported the issue and helped me tracking it down during more
than one month, he is the man!

mikeb@ figured out the bug was in the forwarding path.

ok mikeb@, deraadt@, claudio@

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 51f9986..a1b33c6 100644 (file)
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_input.c,v 1.278 2016/07/18 13:17:44 bluhm Exp $    */
+/*     $OpenBSD: ip_input.c,v 1.279 2016/07/22 07:39:06 mpi Exp $      */
 /*     $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $   */
 
 /*
@@ -1488,6 +1488,7 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct rtentry *rt, int srcrt)
        error = ip_output(m, NULL, &ro,
            (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)),
            NULL, NULL, 0);
+       rt = ro.ro_rt;
        if (error)
                ipstat.ips_cantforward++;
        else {