From 652f3531c50b1870271ce5e3d3613f6597e0e5ca Mon Sep 17 00:00:00 2001 From: bluhm Date: Wed, 8 May 2024 13:01:30 +0000 Subject: [PATCH] Fix route leak in ip input. In previous commit when refactoring the route cache, a rtfree() has been forgotten. For each forwarded packet the reference counter of the route entry was increased. This eventually leads to an integer overflow and triggers kassert. reported by and OK jan@ --- sys/netinet/ip_input.c | 3 ++- sys/netinet6/ip6_input.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 1d1510470f3..ad0455b50f1 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.393 2024/04/16 12:56:39 bluhm Exp $ */ +/* $OpenBSD: ip_input.c,v 1.394 2024/05/08 13:01:30 bluhm Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -587,6 +587,7 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) ip_forward(m, ifp, &ro, pfrdr); *mp = NULL; + rtfree(ro.ro_rt); return IPPROTO_DONE; bad: nxt = IPPROTO_DONE; diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index e389bc0aa35..276a35d6816 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.261 2024/04/16 12:56:39 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.262 2024/05/08 13:01:30 bluhm Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -615,6 +615,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) ip6_forward(m, &ro, pfrdr); *mp = NULL; + rtfree(ro.ro_rt); return IPPROTO_DONE; bad: nxt = IPPROTO_DONE; -- 2.20.1