5.3 IPSEC broken
Sam Leffler
sam at errno.com
Sat Sep 25 19:33:56 PDT 2004
On Saturday 25 September 2004 04:50 pm, Bjoern A. Zeeb wrote:
> On Sat, 25 Sep 2004, Sam Leffler wrote:
> > > > That's a 216 byte packet, fwiw. I instrumented key.c and ran into
> > > > the following ENOBUFS case on key.c:6957:
> > > >
> > > > /* align the mbuf chain so that extensions are in contiguous
> > > > region. */ error = key_align(m, &mh);
> > > > if (error)
> > > > return error;
> > > >
> > > > if (m->m_next) { /*XXX*/
> > > > m_freem(m);
> > > > return ENOBUFS;
> > > > }
> > > >
> > > > I.e., the author knew it was a bug (feature) that an additional mbuf
> > > > couldn't be handled here, but we do need to handle one. Looks like
> > > > much of the surrounding code could be replaced with a call to
> > > > m_defrag() and/or m_pullup().
> > >
> > > Just to mention that i too experience this problem,
> > > but with FAST_IPSEC so this probably means that if any fix will be made
> > > for netkey/key.c then netipsec/key.c will need it too.(as far as i can
> > > tell) Please correct me if i'm wrong.
> >
> > Correct. I gave Robert a fix that was sent to me for fast ipsec. I was
> > going to commit it this weekend after some testing.
>
> could you perhaps post it or place it somewhere for download ?
sam 2004-09-26 02:01:27 UTC
FreeBSD src repository
Modified files:
sys/netipsec key.c
Log:
Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may split
the mbuf due to use of m_pulldown. Discarding the result because of this
does not make sense as no subsequent code depends on the entire msg being
linearized (only the individual pieces). It's likely something else is
wrong
here but for now this appears to get things back to a working state.
Submitted by: Roselyn Lee
Revision Changes Path
1.17 +0 -5 src/sys/netipsec/key.c
http://cvsweb.FreeBSD.org/src/sys/netipsec/key.c.diff?r1=1.16&r2=1.17
More information about the freebsd-current
mailing list