Fix a possible next-hop refcount leak when handling IPSec traffic.

It may be possible to fix this by deferring the lookup, but let's keep the initial change simple to make MFCs easier. PR: 246951 Reviewed by: melifaro MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25519
svn path=/head/; revision=362840
2020-07-01 15:42:48 +00:00 · 2020-07-01 15:42:48 +00:00 · d16a2e4784 · 2020-12-20 02:59:44 +00:00
commit d16a2e4784
parent f6c03fc6d0
1 changed files with 1 additions and 0 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1028,6 +1028,7 @@ ip_forward(struct mbuf *m, int srcrt)
 	if (IPSEC_ENABLED(ipv4)) {
 		if ((error = IPSEC_FORWARD(ipv4, m)) != 0) {
 			/* mbuf consumed by IPsec */
+			RO_NHFREE(&ro);
 			m_freem(mcopy);
 			if (error != EINPROGRESS)
 				IPSTAT_INC(ips_cantforward);