5.3 IPSEC broken

Niki Denev nike_d at cytexbg.com
Sun Sep 26 02:51:47 PDT 2004


Sam Leffler writes:

> On Saturday 25 September 2004 04:50 pm, Bjoern A. Zeeb wrote:
>> On Sat, 25 Sep 2004, Sam Leffler wrote:
>> > > > That's a 216 byte packet, fwiw.  I instrumented key.c and ran into
>> > > > the following ENOBUFS case on key.c:6957:
>> > > >
>> > > >         /* align the mbuf chain so that extensions are in contiguous
>> > > > region. */ error = key_align(m, &mh);
>> > > >         if (error)
>> > > >                 return error;
>> > > >
>> > > >         if (m->m_next) {        /*XXX*/
>> > > >                 m_freem(m);
>> > > >                 return ENOBUFS;
>> > > >         }
>> > > >
>> > > > I.e., the author knew it was a bug (feature) that an additional mbuf
>> > > > couldn't be handled here, but we do need to handle one.  Looks like
>> > > > much of the surrounding code could be replaced with a call to
>> > > > m_defrag() and/or m_pullup().
>> > >
>> > > Just to mention that i too experience this problem,
>> > > but with FAST_IPSEC so this probably means that if any fix will be made
>> > > for netkey/key.c then netipsec/key.c will need it too.(as far as i can
>> > > tell) Please correct me if i'm wrong.
>> >
>> > Correct.  I gave Robert a fix that was sent to me for fast ipsec.  I was
>> > going to commit it this weekend after some testing.
>>
>> could you perhaps post it or place it somewhere for download ?
> 
> sam         2004-09-26 02:01:27 UTC
> 
>   FreeBSD src repository
> 
>   Modified files:
>     sys/netipsec         key.c 
>   Log:
>   Correct handling of SADB_UPDATE and SADB_ADD requests.  key_align may split
>   the mbuf due to use of m_pulldown.  Discarding the result because of this
>   does not make sense as no subsequent code depends on the entire msg being
>   linearized (only the individual pieces).  It's likely something else is 
> wrong
>   here but for now this appears to get things back to a working state.
>   
>   Submitted by:   Roselyn Lee
>   
>   Revision  Changes    Path
>   1.17      +0 -5      src/sys/netipsec/key.c
> http://cvsweb.FreeBSD.org/src/sys/netipsec/key.c.diff?r1=1.16&r2=1.17

And for netkey/key.c ?


--niki

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040926/dd0de1a9/attachment.bin


More information about the freebsd-current mailing list