Fix rte refcount leak in ip6_forward().

Reviewed by: ae MFC after: 2 weeks Sponsored by: Yandex LLC
svn path=/head/; revision=294411
2016-01-20 11:25:30 +00:00 · 2016-01-20 11:25:30 +00:00 · af8451a51e · 2020-12-20 02:59:44 +00:00
commit af8451a51e
parent a72c8092c7
1 changed files with 5 additions and 2 deletions
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@ -341,6 +341,7 @@ ip6_forward(struct mbuf *m, int srcrt)
 	dst->sin6_addr = ip6->ip6_dst;
 again2:
 	rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m));
+	rt = rin6.ro_rt;
 	if (rin6.ro_rt != NULL)
 		RT_UNLOCK(rin6.ro_rt);
 	else {
@ -352,7 +353,6 @@ ip6_forward(struct mbuf *m, int srcrt)
 		}
 		goto bad;
 	}
-	rt = rin6.ro_rt;

 	/*
 	 * Source scope check: if a packet can't be delivered to its
@ -505,8 +505,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		/* If destination is now ourself drop to ip6_input(). */
 		if (in6_localip(&ip6->ip6_dst))
 			m->m_flags |= M_FASTFWD_OURS;
-		else
+		else {
+			RTFREE(rt);
 			goto again;	/* Redo the routing table lookup. */
+		}
 	}

 	/* See if local, if yes, send it to netisr. */
@ -533,6 +535,7 @@ ip6_forward(struct mbuf *m, int srcrt)
 		m->m_flags |= M_SKIP_FIREWALL;
 		m->m_flags &= ~M_IP6_NEXTHOP;
 		m_tag_delete(m, fwd_tag);
+		RTFREE(rt);
 		goto again2;
 	}