I've come up with a way of fixing PR 4561.  A seqeunce of
route commands can cause the rt_gwroute field of a rtentry to
point back to itself.  When the route gets deleted the rtentry
gets free'd twice.  The problem is that RTF_UP is cleared before
freeing gwroute.  Moving the line that does this to after the
rtfree(gwroute) fixes the problem.
	I'm wondering if leaving the route marked as up would cause any
problems.  I didn't see any, but I would appeciate it if someone
could double check this.

thanks,
eric

--- route.c.orig        Sun Oct  3 18:13:54 1999
+++ route.c     Sun Oct  3 18:14:44 1999
@@ -427,11 +427,11 @@
                if (rn->rn_flags & (RNF_ACTIVE | RNF_ROOT))
                        panic ("rtrequest delete");
                rt = (struct rtentry *)rn;
-               rt->rt_flags &= ~RTF_UP;
                if (rt->rt_gwroute) {
                        rt = rt->rt_gwroute; RTFREE(rt);
                        (rt = (struct rtentry *)rn)->rt_gwroute = 0;
                }
+               rt->rt_flags &= ~RTF_UP;
                if ((ifa = rt->rt_ifa) && ifa->ifa_rtrequest)
                        ifa->ifa_rtrequest(RTM_DELETE, rt, SA(0));
                rttrash++;