Never cache a RTF_GATEWAY route as next hop for a gateway route.

This prevents rtentry loops when rt->rt_gwroute points to rt leading
to an infamous "rtentry leak" panic, easily triggered by dhclient(8)
trying to remove a route after resuming a machine.

This bug is at least 20 years old!  4.4BSD-Lite2 had a fix for it in
its X.25 output routine but apparently it never made it into OpenBSD.

ok claudio@

1 files changed, 11 insertions, 1 deletions

diff --git a/sys/net/route.c b/sys/net/route.c
index b2ac61f1b03..2a06b2e4b27 100644
--- a/sys/net/route.c
+++ b/sys/net/route.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: route.c,v 1.214 2015/06/22 09:07:11 mpi Exp $	*/
+/*	$OpenBSD: route.c,v 1.215 2015/06/29 11:04:16 mpi Exp $	*/
 /*	$NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $	*/
 
 /*
@@ -1088,6 +1088,16 @@ rt_checkgate(struct ifnet *ifp, struct rtentry *rt, struct sockaddr *dst,
 			if (rt->rt_gwroute == NULL)
 				return (EHOSTUNREACH);
 		}
+		/*
+		 * Next hop must be reachable, this also prevents rtentry
+		 * loops, for example when rt->rt_gwroute points to rt.
+		 */
+		if (((rt->rt_gwroute->rt_flags & (RTF_UP|RTF_GATEWAY)) !=
+		    RTF_UP) || (rt->rt_gwroute->rt_ifp != ifp)) {
+			rtfree(rt->rt_gwroute);
+			rt->rt_gwroute = NULL;
+			return (EHOSTUNREACH);
+		}
 		rt = rt->rt_gwroute;
 	}