8bf82a92d5
RTF_DYNAMIC route, it got freed twice). I am not sure what was the actual problem in 1992, but the current behavior is memory leak if PCB holds a reference to a dynamically created/modified routing table entry. (rt_refcnt>0 and we don't call rtfree().) My test bed was: 1. Set net.inet.tcp.msl to a low value (for test purposes), e.g., 5 seconds, to speed up the transition of TCP connection to a "closed" state. 2. Add a network route which causes ICMP redirect from the gateway. 3. ping(8) host H that matches this route; this creates RTF_DYNAMIC RTF_HOST route to H. (I was forced to use ICMP to cause gateway to generate ICMP host redirect, because gateway in question is a 4.2-STABLE system vulnerable to a problem that was fixed later in ip_icmp.c,v 1.39.2.6, and TCP packets with DF bit set were triggering this bug.) 4. telnet(1) to H 5. Block access to H with ipfw(8) 6. Send something in telnet(1) session; this causes EPERM, followed by an in_losing() call in a few seconds. 7. Delete ipfw(8) rule blocking access to H, and wait for TCP connection moving to a CLOSED state; PCB is freed. 8. Delete host route to H. 9. Watch with netstat(1) that `rttrash' increased. 10. Repeat steps 3-9, and watch `rttrash' increases. PR: kern/25421 MFC after: 2 weeks |
||
---|---|---|
.. | ||
libalias | ||
accf_data.c | ||
accf_http.c | ||
icmp6.h | ||
icmp_var.h | ||
if_atm.c | ||
if_atm.h | ||
if_ether.c | ||
if_ether.h | ||
if_fddi.h | ||
igmp_var.h | ||
igmp.c | ||
igmp.h | ||
in_cksum.c | ||
in_gif.c | ||
in_gif.h | ||
in_hostcache.c | ||
in_hostcache.h | ||
in_pcb.c | ||
in_pcb.h | ||
in_proto.c | ||
in_rmx.c | ||
in_systm.h | ||
in_var.h | ||
in.c | ||
in.h | ||
ip6.h | ||
ip_divert.c | ||
ip_dummynet.c | ||
ip_dummynet.h | ||
ip_ecn.c | ||
ip_ecn.h | ||
ip_encap.c | ||
ip_encap.h | ||
ip_flow.c | ||
ip_flow.h | ||
ip_fw.c | ||
ip_fw.h | ||
ip_icmp.c | ||
ip_icmp.h | ||
ip_id.c | ||
ip_input.c | ||
ip_mroute.c | ||
ip_mroute.h | ||
ip_output.c | ||
ip_var.h | ||
ip.h | ||
ipprotosw.h | ||
raw_ip.c | ||
tcp_debug.c | ||
tcp_debug.h | ||
tcp_fsm.h | ||
tcp_input.c | ||
tcp_output.c | ||
tcp_reass.c | ||
tcp_seq.h | ||
tcp_subr.c | ||
tcp_timer.c | ||
tcp_timer.h | ||
tcp_timewait.c | ||
tcp_usrreq.c | ||
tcp_var.h | ||
tcp.h | ||
tcpip.h | ||
udp_usrreq.c | ||
udp_var.h | ||
udp.h |