From: bluhm <bluhm@openbsd.org>
Date: Wed, 8 May 2024 13:01:30 +0000 (+0000)
Subject: Fix route leak in ip input.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=652f3531c50b1870271ce5e3d3613f6597e0e5ca;p=openbsd

Fix route leak in ip input.

In previous commit when refactoring the route cache, a rtfree() has
been forgotten.  For each forwarded packet the reference counter
of the route entry was increased.  This eventually leads to an
integer overflow and triggers kassert.

reported by and OK jan@
---

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 1d1510470f3..ad0455b50f1 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.393 2024/04/16 12:56:39 bluhm Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.394 2024/05/08 13:01:30 bluhm Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -587,6 +587,7 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 
 	ip_forward(m, ifp, &ro, pfrdr);
 	*mp = NULL;
+	rtfree(ro.ro_rt);
 	return IPPROTO_DONE;
  bad:
 	nxt = IPPROTO_DONE;
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index e389bc0aa35..276a35d6816 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.261 2024/04/16 12:56:39 bluhm Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.262 2024/05/08 13:01:30 bluhm Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -615,6 +615,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 
 	ip6_forward(m, &ro, pfrdr);
 	*mp = NULL;
+	rtfree(ro.ro_rt);
 	return IPPROTO_DONE;
  bad:
 	nxt = IPPROTO_DONE;