3 files changed, 20 insertions, 7 deletions

diff --git a/UPDATING b/UPDATING
index 5436ef6ffadc..738c46d83311 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,11 @@ minimal number of processes, if possible, for that patch.  For those
 updates that don't have an advisory, or to be safe, you can do a full
 build and install as described in the COMMON ITEMS section.
 
+20030923:	p39	FreeBSD-SA-03:14.arp
+	Fix a bug in arplookup(), whereby a hostile party on a locally
+	attached network could exhaust kernel memory, and cause a system
+	panic, by sending a flood of spoofed ARP requests.
+
 20030917:	p38	FreeBSD-SA-03:13.sendmail
 	Fix another address parsing buffer overflow.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index f8ec3304a08d..72ff4fabbe38 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
 
 TYPE="FreeBSD"
 REVISION="4.3"
-BRANCH="RELEASE-p38"
+BRANCH="RELEASE-p39"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index 33f83866dd77..947c7094d230 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -787,12 +787,20 @@ arplookup(addr, create, proxy)
 	else if (rt->rt_gateway->sa_family != AF_LINK)
 		why = "gateway route is not ours";
 
-	if (why && create) {
-		log(LOG_DEBUG, "arplookup %s failed: %s\n",
-		    inet_ntoa(sin.sin_addr), why);
-		return 0;
-	} else if (why) {
-		return 0;
+	if (why) {
+		if (create)
+			log(LOG_DEBUG, "arplookup %s failed: %s\n",
+			    inet_ntoa(sin.sin_addr), why);
+
+		/* If there are no references to this route, purge it */
+		if (rt->rt_refcnt <= 0 &&
+		    (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) {
+			rtrequest(RTM_DELETE,
+					(struct sockaddr *)rt_key(rt),
+					rt->rt_gateway, rt_mask(rt),
+					rt->rt_flags, 0);
+		}
+		return (0);
 	}
 	return ((struct llinfo_arp *)rt->rt_llinfo);
 }