rws@Mit-Bold.ARPA (03/22/84)
From: Robert W. Scheifler <rws@Mit-Bold.ARPA>
Description:
When raw_usrreq() frees a route in the process of sending a packet,
it doesn't zero the pointer to the route. This results in freeing
the route multiple times, and in using that route for the duration,
as all subsequent rtalloc's become no-ops (see the /* XXX */ comment
in rtalloc).
Repeat-By:
Use one socket to send raw packets that need different routes;
many packets won't go where they are supposed to go.
Fix:
In raw_usrreq(), under case PRU_SEND, change
if (rp->rcb_route.ro_rt)
rtfree(rp->rcb_route.ro_rt);
to
if (rp->rcb_route.ro_rt) {
RTFREE(rp->rcb_route.ro_rt);
rp->rcb_route.ro_rt = NULL;
}