diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2024-04-09 11:05:06 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2024-04-09 11:05:06 +0000 |
| commit | 025f55c88c97de2e0e641d8aef4477ad979832fd (patch) | |
| tree | cbb5f71fe9d7674c30fad0e6ffa6c593ced876e8 /sys/netinet6 | |
| parent | 89de3cc08047483d6d2a84a0489a528f89fed85b (diff) | |
Plug route leak in IP output.
If no struct route is passed to ip_output() or ip6_output(), it
uses its own iproute on the stack. In that case any route entry
in the local route cache has to be freed. After pf decides to
reroute, struct route is reset to NULL. Then the route reference
counter has to be released. Call rtfree() without needless NULL
check.
OK mvs@
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/ip6_output.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 94519429cf0..a2ba550fa5a 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.288 2024/02/28 10:57:20 bluhm Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.289 2024/04/09 11:05:05 bluhm Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -635,6 +635,8 @@ reroute: /* tag as generated to skip over pf_test on rerun */ m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; finaldst = ip6->ip6_dst; + if (ro == &iproute) + rtfree(ro->ro_rt); ro = NULL; if_put(ifp); /* drop reference since destination changed */ ifp = NULL; @@ -758,11 +760,10 @@ reroute: bad: m_freem(m); done: - if (ro == &iproute && ro->ro_rt) { + if (ro == &iproute) rtfree(ro->ro_rt); - } else if (ro_pmtu == &iproute && ro_pmtu->ro_rt) { + else if (ro_pmtu == &iproute) rtfree(ro_pmtu->ro_rt); - } if_put(ifp); #ifdef IPSEC tdb_unref(tdb); |