The following reply was made to PR kern/35273; it has been noted by GNATS.

From: Antti Kantee <pooka@cs.hut.fi>
To: joerg@NetBSD.org
Cc: netbsd-bugs@netbsd.org, dlagno@rambler.ru, gnats-bugs@NetBSD.org
Subject: Re: PR/35273 CVS commit: src/sys/netinet
Date: Sun, 14 Jan 2007 18:20:59 +0200

 On Sat Jan 13 2007 at 23:15:05 +0000, Joerg Sonnenberger wrote:
 >  Modified Files:
 >  	src/sys/netinet: ip_output.c
 >  
 >  Log Message:
 >  Unconditionally zero and free iproute. Before IPsec tunnel packets e.g.
 >  from ICMP could end up in leaking the reference in iproute, as
 >  ipsec4_output would overwrite the ro pointer in state.
 >  
 >  Tested by Juraj Hercek and supposed to fix PR kern/35273 and kern/35318.
 >  
 >  
 >  To generate a diff of this commit:
 >  cvs rdiff -r1.173 -r1.174 src/sys/netinet/ip_output.c
 
 Given that this is the hack I posted a week ago to hide the problem,
 can you explain why you now consider it the correct fix, even though we
 both agreed it was just a hack.
 
 I do agree that obviously we should never come out of ip_output() with
 a route cached to iproute, but shouldn't we be fixing ipsec4_output()
 instead?  Or at least clearly mark this as a hack?  This reeks of
 bug-masking code.
 
 -- 
 Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
 http://www.iki.fi/pooka/                          http://www.NetBSD.org/
     "la qualité la plus indispensable du cuisinier est l'exactitude"