The function rn_walktree_from() accesses to the array xm, however when a default IPv4 route is removed (RTM_DELETE), rn has the following values: rn->rn_bmask = 0x80h xm = { 0, 0, 0, 0 } rn->offset = 4
Then, sometimes the following test: if (!(rn->rn_bmask & xm[rn->rn_offset])) break; could lead to a panic when xm[4] is out of the 4KB pages. It happens very rarely. I am wondering if it is a well-known bug or if our analyse is wrong. static int rn_walktree_from(h, a, m, f, w) [...] for (rn = h->rnh_treetop; rn->rn_bit >= 0; ) { last = rn; /* printf("rn_bit %d, rn_bmask %x, xm[rn_offset] %x\n", rn->rn_bit, rn->rn_bmask, xm[rn->rn_offset]); */ if (!(rn->rn_bmask & xm[rn->rn_offset])) { /* XXX: panic ??? */ break; } if (rn->rn_bmask & xa[rn->rn_offset]) { rn = rn->rn_right; } else { rn = rn->rn_left; } } [ ... ] Regards, Vincent To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message