When adding a non-host route and not specifying the netmask
	information for that route, the rn_walktree_from() code will
	attempt to dereference the null pointer for the netmask and
	the system will crash.  This is not seen in the AF_INET
	address family, since the code always adds a netmask.

Fix: 

Take a look at the code for rtrequest() in sys/net/route.c, near
	the bottom (line 511 from the 2.1.0 source base).  There is an 'if'
	statement that calls the routine rnh->rnh_walktree_from().  The 'if'
	makes sure that the RTF_HOST bit is not set.  If you take a look at
	all of the other calls to rnh_walktree_from(), you will see that a
	check is also being made to make sure that the netmask is non-NULL.
	The context diff for the fix is included here:

	*** route.c-new Wed Aug 21 21:39:52 1996
	--- route.c-orig        Wed Aug 21 21:39:05 1996
	***************
	*** 508,514 ****
			 * it doesn't fire when we call it there because the node
			 * hasn't been added to the tree yet.
			 */
	!               if (!(rt->rt_flags & RTF_HOST) && rt_mask(rt) != 0) {
				struct rtfc_arg arg;
				arg.rnh = rnh;
				arg.rt0 = rt;
	--- 508,514 ----
			 * it doesn't fire when we call it there because the node
			 * hasn't been added to the tree yet.
			 */
	!               if (!(rt->rt_flags & RTF_HOST)) {
				struct rtfc_arg arg;
				arg.rnh = rnh;
				arg.rt0 = rt;
How-To-Repeat: 
	The only two address families I have been working with have
	been AF_INET and AF_INET6, the latter being the one with which
	I was seeing the crash.  The mods for the AF_INET6 family are
	available from ftp://ftp.inria.fr/network/ipv6/ as part of the
	IP Version 6 enablement effort.  With these mods, one can
	crash the machine with the command:

	    route add -inet6 ::2 ::1

	I am sure that the machine can be crashed without them using
	a different address family, but I am not familiar enough with
	those families to produce a proper configuration.