Fix route leak in ip input.

In previous commit when refactoring the route cache, a rtfree() has
been forgotten.  For each forwarded packet the reference counter
of the route entry was increased.  This eventually leads to an
integer overflow and triggers kassert.

reported by and OK jan@

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 1d15104..ad0455b 100644 (file)
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_input.c,v 1.393 2024/04/16 12:56:39 bluhm Exp $    */
+/*     $OpenBSD: ip_input.c,v 1.394 2024/05/08 13:01:30 bluhm Exp $    */
 /*     $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $   */
 
 /*
@@ -587,6 +587,7 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 
        ip_forward(m, ifp, &ro, pfrdr);
        *mp = NULL;
+       rtfree(ro.ro_rt);
        return IPPROTO_DONE;
  bad:
        nxt = IPPROTO_DONE;

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index e389bc0..276a35d 100644 (file)
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip6_input.c,v 1.261 2024/04/16 12:56:39 bluhm Exp $   */
+/*     $OpenBSD: ip6_input.c,v 1.262 2024/05/08 13:01:30 bluhm Exp $   */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -615,6 +615,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 
        ip6_forward(m, &ro, pfrdr);
        *mp = NULL;
+       rtfree(ro.ro_rt);
        return IPPROTO_DONE;
  bad:
        nxt = IPPROTO_DONE;