route_output: Fix RTM_DELETE rtentry leakage
This actually incorporates two dependent changes.
- Change to routing code:
Keep the rtinfo in the netmsg unchanged, so all CPU on the ntemsg
forwarding path will see the same rtinfo setup by rtrequest1_global()
or rtsearch_global()'s caller, instead of the rtinfo baked by the
previous CPU.
This is critical step before we could free the rtentry in route_output()
RTM_DELETE callback, since in this callback, fillrtmsg() will change
the rtinfo to point the current rtentry's memory. As long as we feed
it a rtinfo local copy, we are safe to free the rtentry later, no
dangling memory reference anymore.
- Change to the rtsock code:
Since the rtinfo setup in the route_output() points to the memory in
the preallocated rtm, so we could not allow the callback of
rtrequset1_global()/ rtsearch_global() to free the rtm if reallocation
is required due to the rtm size changes. We keep two different pointer
fields in the callback argument now. One is the save the preallocated
rtm, which is pointed to by the rtinfo. It could be freed only after
a new rtm is allocated and rtrequset1_global()/ rtsearch_global() are
done, so rtinfo will not reference invalid memory. The other pointer
saves the new rtm if there is any.
Comments are added to the related places.
Reported-by: ruse39 on EFnet