Hi,
I just came across the FreeBSD PR 10570, and it looks like we have the same
problem:
in sys/net/if.h, ifa_refcnt is a short. On a box used as a router with gated,
you can end up with more than 65535 routes on it (common for an ISP's
router). If, when deleting a route, ifa_refcnt falls back to 0 and ifa is
free'd while there where still 2^16 routes using it.
The FreeBSD PR suggests making ifa_refcnt an int.
Coments ?

PS: 2^16 routes are actually not an impossible situation. One time I
accidentally ended up on a config where gated accepted the routing table of
our ISP. I don't know how many entries there was in it but there was a lot :)

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--