From cb4688c90eead16a0ff16654cec050f9ee06304b Mon Sep 17 00:00:00 2001 From: ru Date: Fri, 22 Mar 2002 16:45:54 +0000 Subject: [PATCH] Prevent icmp_reflect() from calling ip_output() with a NULL route pointer which will then result in the allocated route's reference count never being decremented. Just flood ping the localhost and watch refcnt of the 127.0.0.1 route with netstat(1). Submitted by: jayanth Back out ip_output.c,v 1.143 and ip_mroute.c,v 1.69 that allowed ip_output() to be called with a NULL route pointer. The previous paragraph shows why this was a bad idea in the first place. MFC after: 0 days --- sys/netinet/ip_icmp.c | 4 ++-- sys/netinet/ip_mroute.c | 3 ++- sys/netinet/ip_output.c | 10 ++++------ 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index c671a0a630ad..7042dd87c4b9 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -600,6 +600,8 @@ icmp_reflect(m) } t = ip->ip_dst; ip->ip_dst = ip->ip_src; + ro = &rt; + bzero(ro, sizeof(*ro)); /* * If the incoming packet was addressed directly to us, * use dst as the src for the reply. Otherwise (broadcast @@ -620,8 +622,6 @@ icmp_reflect(m) goto match; } } - ro = &rt; - bzero(ro, sizeof(*ro)); ia = ip_rtaddr(ip->ip_dst, ro); /* We need a route to do anything useful. */ if (ia == NULL) { diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index 32493080fb60..4847b6d54c58 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -1867,6 +1867,7 @@ tbf_send_packet(vifp, m) { struct ip_moptions imo; int error; + static struct route ro; int s = splnet(); if (vifp->v_flags & VIFF_TUNNEL) { @@ -1885,7 +1886,7 @@ tbf_send_packet(vifp, m) * should get rejected because they appear to come from * the loopback interface, thus preventing looping. */ - error = ip_output(m, (struct mbuf *)0, NULL, + error = ip_output(m, (struct mbuf *)0, &ro, IP_FORWARDING, &imo); if (mrtdebug & DEBUG_XMIT) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index d46d9842c9e7..f456456cfbd6 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -123,12 +123,12 @@ ip_output(m0, opt, ro, flags, imo) struct mbuf *m = m0; int hlen = sizeof (struct ip); int len, off, error = 0; - struct route iproute; struct sockaddr_in *dst; struct in_ifaddr *ia; int isbroadcast, sw_csum; struct in_addr pkt_dst; #ifdef IPSEC + struct route iproute; struct socket *so = NULL; struct secpolicy *sp = NULL; #endif @@ -189,6 +189,9 @@ ip_output(m0, opt, ro, flags, imo) #ifdef DIAGNOSTIC if ((m->m_flags & M_PKTHDR) == 0) panic("ip_output no HDR"); + if (!ro) + panic("ip_output no route, proto = %d", + mtod(m, struct ip *)->ip_p); #endif if (opt) { m = ip_insertoptions(m, opt, &len); @@ -214,11 +217,6 @@ ip_output(m0, opt, ro, flags, imo) hlen = IP_VHL_HL(ip->ip_vhl) << 2; } - /* Route packet. */ - if (ro == NULL) { - ro = &iproute; - bzero(ro, sizeof(*ro)); - } dst = (struct sockaddr_in *)&ro->ro_dst; /* * If there is a cached route,