K 10
svn:author
V 8
vangyzen
K 8
svn:date
V 27
2023-05-30T17:13:03.590277Z
K 7
svn:log
V 909
Fix NULL deref in ip_output during route change

When changing the interface address during a route change,
the rtentry's rt_ifa will be NULL briefly.  Some parts of
ip_output do not handle that NULL.  In such case, re-validate
the rtentry.  That validation does not check the rt_ifa, but
it does lock the route, which will synchronize with
rtrequest1_fib_change.

I would prefer to leave the rt_ifa pointer intact during
the route change, but ip6_output is not fully protected
by the net_epoch, so that could allow a use-after-free.
ip6_output already handles a NULL rt_ifa.

This is a direct commit to stable/12 because later branches
have nexthop and do not appear to have this bug.

PR:		271573
Reported by:	Gaurav.Gandhi@dell.com
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D40236

Git Hash:   8fa89d8b190472778ed07db9d8937cb1ce7b44fc
Git Author: vangyzen@FreeBSD.org
END