From owner-freebsd-net@FreeBSD.ORG  Wed Aug 29 04:18:31 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5ACE116A417
	for <freebsd-net@freebsd.org>; Wed, 29 Aug 2007 04:18:31 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from mrout2-b.corp.dcn.yahoo.com (mrout2-b.corp.dcn.yahoo.com
	[216.109.112.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 2430013C45B
	for <freebsd-net@freebsd.org>; Wed, 29 Aug 2007 04:18:30 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from minion.local.neville-neil.com (proxy8.corp.yahoo.com
	[216.145.48.13])
	by mrout2-b.corp.dcn.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id
	l7T4I3sb013157; Tue, 28 Aug 2007 21:18:04 -0700 (PDT)
Date: Wed, 29 Aug 2007 11:13:25 +0900
Message-ID: <m2lkbvnl4q.wl%gnn@neville-neil.com>
From: "George V. Neville-Neil" <gnn@neville-neil.com>
To: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=
	<jinmei@isl.rdc.toshiba.co.jp>
In-Reply-To: <m1tzqjsmog.wl%jinmei@isl.rdc.toshiba.co.jp>
References: <46D38543.4020507@zyxel.com.tw>
	<m11wdote2t.wl%jinmei@isl.rdc.toshiba.co.jp>
	<46D3B747.1090903@zyxel.com.tw>
	<20070828092348.Y87821@maildrop.int.zabbadoz.net>
	<46D40BB7.4060100@zyxel.com.tw>
	<m1tzqjsmog.wl%jinmei@isl.rdc.toshiba.co.jp>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka)
	FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1
	(i386-apple-darwin8.9.1) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>,
	blue <susan.lan@zyxel.com.tw>, freebsd-net@freebsd.org
Subject: Re: infinite loop in esp6_ctlinput()?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2007 04:18:31 -0000

At Wed, 29 Aug 2007 00:28:47 +0900,
jinmei wrote:
> 
> At Tue, 28 Aug 2007 19:49:11 +0800,
> blue <susan.lan@zyxel.com.tw> wrote:
> 
> > According to the GDB backtrace, I think this is what I am talking about.
> > 
> > Besides, this would result in infinite loop just by looking at the 
> > codes. However, the author seems knowing the problem, too. The comments 
> > in esp6_ctlinput() point out:
> >           /*
> >          * Although pfctlinput2 will call esp6_ctlinput(), there is
> >          * no possibility of an infinite loop of function calls,
> >          * because we don't pass the inner IPv6 header.
> >           */
> > 
> > I am not sure what the description means. The behavior of 
> > esp6_ctlinput() is the same in HEAD, too.
> 
> This means that variable 'ip6' should be NULL for the second time
> esp6_ctlinput() is called in the esp_input.c ("non-FAST" IPSEC)
> version.  It prevents the function calls from making an infinite loop.
> 
> On the other hand, the ipsec_input.c (FAST_IPSEC) version only seems
> to check ip6ctlparam * ('d') is NULL, making the infinite sequence of
> calls possible.

I am now going over the code that Jinmei-san has kindly pointed out
and will attempt a patch soon.  I am also hoping to develop a reliable
way to trigger this bug, based on the report from Pawel Worach on
current@.

Best,
George