>Number:         4561
>Category:       kern
>Synopsis:       NetBSD crashes with certain sequence of 'route' commands.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 21 18:35:02 1997
>Last-Modified:
>Originator:     Eric Haszlakiewicz
>Organization:
>Release:        971120
>Environment:
	i386 + alpha
System: NetBSD realms.isdn.uiuc.edu 1.3_ALPHA NetBSD 1.3_ALPHA (REALMS) #22: Thu Nov 20 04:02:23 CST 1997 root@realms.isdn.uiuc.edu:/usr/src/sys/arch/i386/compile/REALMS i386


>Description:
	When a certain seqeunce of route commands is issued the NetBSD
kernel crashes because of what appears to be corrupted data in the 
routing table.  Not likely to be machine dependant.
>How-To-Repeat:
	ifconfig everything then:
		# route add 127.0.0.0 127.0.0.2
		add net 127.0.0.0: gateway 127.0.0.2
(this next line must change it to what it already is (or something close)
	route change 127.0.0.0 127.0.30.16 still crashes.  It appears that
	the requirement necessary for the problem is that the routing code
	references the routing table to see where the gateway goes.  So
	using "route add 127.0.0.0 <blah> works fine if blah is directly
	connected.)
		# route change 127.0.0.0 127.0.0.2
		change net 127.0.0.0: gateway 127.0.0.2
		# route delete 127.0.0.0
Now it has a cow (or rather a slab of dead beef) when trying to get the len
from a bogus sockaddr * in rt_msg2().  I believe the problem happens during the
"route change" command, but I'm not sure yet.
>Fix:
	...working on it...anyone see anything obvious?
>Audit-Trail:
>Unformatted: