From owner-freebsd-net@FreeBSD.ORG  Wed Aug 29 05:25:43 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AD11A16A419
	for <freebsd-net@freebsd.org>; Wed, 29 Aug 2007 05:25:43 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172])
	by mx1.freebsd.org (Postfix) with ESMTP id 9CA0E13C45D
	for <freebsd-net@freebsd.org>; Wed, 29 Aug 2007 05:25:43 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from minion.local.neville-neil.com (proxy8.corp.yahoo.com
	[216.145.48.13])
	by mrout2.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id l7T5OCQP092987; 
	Tue, 28 Aug 2007 22:24:12 -0700 (PDT)
Date: Wed, 29 Aug 2007 14:24:05 +0900
Message-ID: <m28x7uoqve.wl%gnn@neville-neil.com>
From: "George V. Neville-Neil" <gnn@neville-neil.com>
To: "George V. Neville-Neil" <gnn@neville-neil.com>
In-Reply-To: <m2lkbvnl4q.wl%gnn@neville-neil.com>
References: <46D38543.4020507@zyxel.com.tw>
	<m11wdote2t.wl%jinmei@isl.rdc.toshiba.co.jp>
	<46D3B747.1090903@zyxel.com.tw>
	<20070828092348.Y87821@maildrop.int.zabbadoz.net>
	<46D40BB7.4060100@zyxel.com.tw>
	<m1tzqjsmog.wl%jinmei@isl.rdc.toshiba.co.jp>
	<m2lkbvnl4q.wl%gnn@neville-neil.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka)
	FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1
	(i386-apple-darwin8.9.1) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-net@freebsd.org,
	blue <susan.lan@zyxel.com.tw>,
	JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=
	<jinmei@isl.rdc.toshiba.co.jp>
Subject: Re: infinite loop in esp6_ctlinput()?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2007 05:25:43 -0000

Hi,

Please try the attached patch, which mimics exactly what the Kame code
used to do.  I have not fully tested it, but it builds and runs.

I will need some time to reproduce the panic you saw on one of my
boxes.  If you can tell me the steps you took to get that to happen
that would be great.

Best,
George


==== //depot/user/gnn/ipsec_seven/src/sys/netipsec/ipsec_input.c#1 - /home/gnn/user/gnn/ipsec_seven/src/sys/netipsec/ipsec_input.c ====
@@ -761,6 +761,11 @@
 void
 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
 {
+       struct ip6ctlparam *ip6cp = NULL;
+       struct mbuf *m = NULL;
+       struct ip6_hdr *ip6;
+       int off;
+
        if (sa->sa_family != AF_INET6 ||
            sa->sa_len != sizeof(struct sockaddr_in6))
                return;
@@ -768,10 +773,18 @@
                return;
 
        /* if the parameter is from icmp6, decode it. */
-       if (d !=  NULL) {
-               struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d;
-               struct mbuf *m = ip6cp->ip6c_m;
-               int off = ip6cp->ip6c_off;
+       if (d != NULL) {
+               ip6cp = (struct ip6ctlparam *)d;
+               m = ip6cp->ip6c_m;
+               ip6 = ip6cp->ip6c_ip6;
+               off = ip6cp->ip6c_off;
+       } else {
+               m = NULL;
+               ip6 = NULL;
+               off = 0;        /* calm gcc */
+       }
+
+       if (ip6) {
 
                struct ip6ctlparam ip6cp1;