diff options
| author |   mpi <mpi@openbsd.org> | 2015-06-29 11:04:16 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2015-06-29 11:04:16 +0000 |
| commit | e67d2d73f81017fc0d301146dab5052f38059556 (patch) | |
| tree | 0191a2543fdebc76be9895f23dc9a0c74639be08 | |
| parent | Add missing definition of "usb_interface_assoc_descriptor" needed to for (diff) | |
| download | wireguard-openbsd-e67d2d73f81017fc0d301146dab5052f38059556.tar.xz wireguard-openbsd-e67d2d73f81017fc0d301146dab5052f38059556.zip | |
Never cache a RTF_GATEWAY route as next hop for a gateway route.
This prevents rtentry loops when rt->rt_gwroute points to rt leading
to an infamous "rtentry leak" panic, easily triggered by dhclient(8)
trying to remove a route after resuming a machine.
This bug is at least 20 years old! 4.4BSD-Lite2 had a fix for it in
its X.25 output routine but apparently it never made it into OpenBSD.
ok claudio@
| -rw-r--r-- | sys/net/route.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/net/route.c b/sys/net/route.c index b2ac61f1b03..2a06b2e4b27 100644 --- a/sys/net/route.c +++ b/sys/net/route.c @@ -1,4 +1,4 @@ -/* $OpenBSD: route.c,v 1.214 2015/06/22 09:07:11 mpi Exp $ */ +/* $OpenBSD: route.c,v 1.215 2015/06/29 11:04:16 mpi Exp $ */ /* $NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $ */ /* @@ -1088,6 +1088,16 @@ rt_checkgate(struct ifnet *ifp, struct rtentry *rt, struct sockaddr *dst, if (rt->rt_gwroute == NULL) return (EHOSTUNREACH); } + /* + * Next hop must be reachable, this also prevents rtentry + * loops, for example when rt->rt_gwroute points to rt. + */ + if (((rt->rt_gwroute->rt_flags & (RTF_UP|RTF_GATEWAY)) != + RTF_UP) || (rt->rt_gwroute->rt_ifp != ifp)) { + rtfree(rt->rt_gwroute); + rt->rt_gwroute = NULL; + return (EHOSTUNREACH); + } rt = rt->rt_gwroute; } |