diff --git a/UPDATING b/UPDATING
index 92b0467ed642..608152f4fb26 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,12 @@ NOTE TO PEOPLE WHO THINK THAT 5.0-CURRENT IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.
 
+20030923:
+	Fix a bug in arplookup(), whereby a hostile party on a locally
+	attached network could exhaust kernel memory, and cause a system 
+	panic, by sending a flood of spoofed ARP requests. See
+	FreeBSD-SA-03:14.arp.
+
 20030915:
 	A change to /etc/defaults/rc.conf now causes inetd to be started
 	with `-C 60' if it is not overridden in /etc/rc.conf.  This
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index c02ba555bad1..22ca55e4b902 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -918,12 +918,20 @@ arplookup(addr, create, proxy)
 	else if (rt->rt_gateway->sa_family != AF_LINK)
 		why = "gateway route is not ours";
 
-	if (why && create) {
-		log(LOG_DEBUG, "arplookup %s failed: %s\n",
-		    inet_ntoa(sin.sin_addr), why);
-		return 0;
-	} else if (why) {
-		return 0;
+	if (why) {
+		if (create)
+			log(LOG_DEBUG, "arplookup %s failed: %s\n",
+			    inet_ntoa(sin.sin_addr), why);
+
+		/* If there are no references to this route, purge it */
+		if (rt->rt_refcnt <= 0 &&
+		    (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) {
+			rtrequest(RTM_DELETE,
+					(struct sockaddr *)rt_key(rt),
+					rt->rt_gateway, rt_mask(rt),
+					rt->rt_flags, 0);
+		}
+		return (0);
 	}
 	return ((struct llinfo_arp *)rt->rt_llinfo);
 }