Bug 25421

Summary: route structures are being leaked.
Product: Base System Reporter: msmith <msmith>
Component: kernAssignee: ru <ru>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description msmith 2001-02-27 20:30:01 UTC 
This was found in a kernel with networking code derived from FreeBSD
not from FreeBSD itself.  However, from a code review of the FreeBSD-4.2 source, it appears FreeBSD has the same problem.

In in_losing() we have this:

        if ((rt = inp->inp_route.ro_rt)) {
                inp->inp_route.ro_rt = 0;
                bzero((caddr_t)&info, sizeof(info));
                info.rti_info[RTAX_DST] =
                        (struct sockaddr *)&inp->inp_route.ro_dst;
                info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
                info.rti_info[RTAX_NETMASK] = rt_mask(rt);
                rt_missmsg(RTM_LOSING, &info, rt->rt_flags, 0);
                if (rt->rt_flags & RTF_DYNAMIC)
                        (void) rtrequest(RTM_DELETE, rt_key(rt),
                                rt->rt_gateway, rt_mask(rt), rt->rt_flags,
                                (struct rtentry **)0);
                else
                /*
                 * A new route can be allocated
                 * the next time output is attempted.
                 */
                        rtfree(rt);
        }

Since rt was the cached route of the pcb, the ref count is >= 1 since
the pcb will have a ref count on it.  In the case of a dynamic route,
in_losing calls rtrequest to delete the route but not rtfree.
rtrequest() only deletes the route from the routing table.  It does
not free the route structure unless rt_refcnt is 0.  We know
it won't be zero because the pcb has a ref count.  As a result it
appears that we leak a route structure since it will never be freed.

Fix: 

In in_losing() the fix appears to be to simply delete the else just
before the rtfree() call so that rtfree is always called.
How-To-Repeat: The problem is easiest to recreate on a lossy network where we
receive a lot of route redirects.
Comment 1 Jesper Skriver freebsd_committer freebsd_triage 2001-05-28 21:59:53 UTC 
Responsible Changed
From-To: freebsd-bugs->jesper

Will work on this one
Comment 2 ru freebsd_committer freebsd_triage 2001-06-29 13:09:02 UTC 
State Changed
From-To: open->feedback

Fixed in 5.0-CURRENT, in_pcb.c,v 1.85.
Comment 3 ru freebsd_committer freebsd_triage 2001-06-29 13:09:02 UTC 
Responsible Changed
From-To: jesper->ru

MFC reminder.
Comment 4 ru freebsd_committer freebsd_triage 2001-08-08 09:16:00 UTC 
State Changed
From-To: feedback->closed

Fixed in 4.4-PRERELEASE, in_pcb.c,v 1.59.2.16.