CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2025/08/13 07:00:29
Modified files:
sys/net : route.c
Log message:
Clear RTF_MPATH flag for cloned routes.
If two CPUs concurrently send to the same destination IP, both will
call rtalloc_mpath() and rt_clone(). The resulting cloned routes
inherit the RTF_MPATH flag from the cloning route so two rtentry
ARP entries are added to the routing table and arp_list. Later,
when the ARP entries expire in arptimer(), the function arptfree(rt)
will call rtdeletemsg(rt) which uses rtrequest_delete() in order
to delete the expired rtentry. However, the expired rtentry is not
directly passed to rtrequest_delete(), so it will re-lookup the
entry based on lookup keys and might delete the other matching
entry. When arptimer() continues looping over the arp_list, it
will access the already released second entry and crash due to
use-after-free. Prevent this problem by clearing the RTF_MPATH
flag for RTM_RESOLVE in rtrequest(). This way only one ARP entry
can be created.
from markus@
