Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxl!ihnp4!zehntel!hplabs!sri-unix!rws@Mit-Bold.ARPA
From: rws@Mit-Bold.ARPA
Newsgroups: net.unix-wizards
Subject: 4.2 raw_usrreq() reuses freed route
Message-ID: <195@sri-arpa.UUCP>
Date: Wed, 21-Mar-84 20:41:17 EST
Article-I.D.: sri-arpa.195
Posted: Wed Mar 21 20:41:17 1984
Date-Received: Sun, 25-Mar-84 08:12:37 EST
Lines: 20

From:  Robert W. Scheifler <rws@Mit-Bold.ARPA>

Description:
	When raw_usrreq() frees a route in the process of sending a packet,
	it doesn't zero the pointer to the route.  This results in freeing
	the route multiple times, and in using that route for the duration,
	as all subsequent rtalloc's become no-ops (see the /* XXX */ comment
	in rtalloc).
Repeat-By:
	Use one socket to send raw packets that need different routes;
	many packets won't go where they are supposed to go.
Fix:
	In raw_usrreq(), under case PRU_SEND, change
		if (rp->rcb_route.ro_rt)
			rtfree(rp->rcb_route.ro_rt);
	to
		if (rp->rcb_route.ro_rt) {
			RTFREE(rp->rcb_route.ro_rt);
			rp->rcb_route.ro_rt = NULL;
		}