netbsd-bugs: Re: PR/35273 CVS commit: src/sys/netinet

Subject: Re: PR/35273 CVS commit: src/sys/netinet
To: None <joerg@NetBSD.org>
From: Antti Kantee <pooka@cs.hut.fi>
List: netbsd-bugs
Date: 01/14/2007 18:20:59

On Sat Jan 13 2007 at 23:15:05 +0000, Joerg Sonnenberger wrote:
>  Modified Files:
>  	src/sys/netinet: ip_output.c
>  
>  Log Message:
>  Unconditionally zero and free iproute. Before IPsec tunnel packets e.g.
>  from ICMP could end up in leaking the reference in iproute, as
>  ipsec4_output would overwrite the ro pointer in state.
>  
>  Tested by Juraj Hercek and supposed to fix PR kern/35273 and kern/35318.
>  
>  
>  To generate a diff of this commit:
>  cvs rdiff -r1.173 -r1.174 src/sys/netinet/ip_output.c

Given that this is the hack I posted a week ago to hide the problem,
can you explain why you now consider it the correct fix, even though we
both agreed it was just a hack.

I do agree that obviously we should never come out of ip_output() with
a route cached to iproute, but shouldn't we be fixing ipsec4_output()
instead?  Or at least clearly mark this as a hack?  This reeks of
bug-masking code.

-- 
Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
http://www.iki.fi/pooka/                          http://www.NetBSD.org/
    "la qualité la plus indispensable du cuisinier est l'exactitude"