From owner-freebsd-net@FreeBSD.ORG  Wed Apr  6 21:55:07 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4A8E3106564A
	for <freebsd-net@FreeBSD.org>; Wed,  6 Apr 2011 21:55:07 +0000 (UTC)
	(envelope-from if@xip.at)
Received: from chile.gbit.at (ns1.xip.at [193.239.188.99])
	by mx1.freebsd.org (Postfix) with ESMTP id 82FE38FC13
	for <freebsd-net@FreeBSD.org>; Wed,  6 Apr 2011 21:55:05 +0000 (UTC)
Received: (qmail 25953 invoked from network); 6 Apr 2011 23:55:02 +0200
Received: from unknown (HELO filebunker.xip.at) (89.207.145.147)
	by chile.gbit.at with (DHE-RSA-AES256-SHA encrypted) SMTP;
	6 Apr 2011 23:55:02 +0200
Date: Wed, 6 Apr 2011 23:55:01 +0200 (CEST)
From: Ingo Flaschberger <if@xip.at>
To: freebsd-net@FreeBSD.org
Message-ID: <alpine.LRH.2.00.1104062350520.2152@filebunker.xip.at>
User-Agent: Alpine 2.00 (LRH 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: 
Subject: ip_forward / ip_output / RTFREE?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 21:55:07 -0000

Hi,

in sys/netinet/ip_output.c at the end of ip_output:
done:
         if (ro == &iproute && ro->ro_rt && !nortfree) {
                 RTFREE(ro->ro_rt);
         }
ro->ro_rt gets freed, if not from flowtable.

but in sys/netinet/ip_input.c, ip_forward after ip_output is called:
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL);

         if (error == EMSGSIZE && ro.ro_rt)
                 mtu = ro.ro_rt->rt_rmx.rmx_mtu;
         if (ro.ro_rt)
                 RTFREE(ro.ro_rt);

first the mtu is saved an the it will be freed.

so:
*) double free? - mtu could be invalid?
*) could also free a flowtable entry?


Mit freundlichen Gruessen,
 	Ingo Flaschberger

Geschaeftsleitung
____________________________________
crossip communications gmbh
A-1020 Wien, Sebastian Kneipp Gasse 1/3

Sitz der Gesellschaft: 1020 Wien, Oesterreich
Firmenbuchgericht: Handelsgericht Wien, FN 269698 s,
Umsatzsteueridentifikationsnummer (UID): ATU62080367

Haftungsausschluss / Disclaimer <http://www.xip.at/content/view/278/>