infinite loop in esp6_ctlinput()?
George V. Neville-Neil
gnn at neville-neil.com
Tue Aug 28 21:18:31 PDT 2007
At Wed, 29 Aug 2007 00:28:47 +0900,
jinmei wrote:
>
> At Tue, 28 Aug 2007 19:49:11 +0800,
> blue <susan.lan at zyxel.com.tw> wrote:
>
> > According to the GDB backtrace, I think this is what I am talking about.
> >
> > Besides, this would result in infinite loop just by looking at the
> > codes. However, the author seems knowing the problem, too. The comments
> > in esp6_ctlinput() point out:
> > /*
> > * Although pfctlinput2 will call esp6_ctlinput(), there is
> > * no possibility of an infinite loop of function calls,
> > * because we don't pass the inner IPv6 header.
> > */
> >
> > I am not sure what the description means. The behavior of
> > esp6_ctlinput() is the same in HEAD, too.
>
> This means that variable 'ip6' should be NULL for the second time
> esp6_ctlinput() is called in the esp_input.c ("non-FAST" IPSEC)
> version. It prevents the function calls from making an infinite loop.
>
> On the other hand, the ipsec_input.c (FAST_IPSEC) version only seems
> to check ip6ctlparam * ('d') is NULL, making the infinite sequence of
> calls possible.
I am now going over the code that Jinmei-san has kindly pointed out
and will attempt a patch soon. I am also hoping to develop a reliable
way to trigger this bug, based on the report from Pawel Worach on
current at .
Best,
George
More information about the freebsd-net
mailing list