ip6_output_ipsec_send() may change the route embeded in struct ro

during path MTU discovery.  ip6_forward() has to update its rt
variable to the new route in ro.  Otherwise it could operate on a
freed route.
from markus@

diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 85994f3..12b74cb 100644 (file)
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip6_forward.c,v 1.100 2021/01/11 13:28:54 bluhm Exp $ */
+/*     $OpenBSD: ip6_forward.c,v 1.101 2021/10/14 17:39:42 bluhm Exp $ */
 /*     $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $    */
 
 /*
@@ -222,6 +222,7 @@ reroute:
                ro.ro_rt = rt;
                ro.ro_tableid = m->m_pkthdr.ph_rtableid;
                error = ip6_output_ipsec_send(tdb, m, &ro, 0, 1);
+               rt = ro.ro_rt;
                if (error)
                        goto senderr;
                goto freecopy;