Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Sep 2004 19:38:27 -0700
From:      Sam Leffler <sam@errno.com>
To:        freebsd-current@freebsd.org
Cc:        Robert Watson <rwatson@freebsd.org>
Subject:   Re: 5.3 IPSEC broken
Message-ID:  <200409251938.28089.sam@errno.com>
In-Reply-To: <Pine.BSF.4.53.0409252349140.93902@e0-0.zab2.int.zabbadoz.net>
References:  <Pine.NEB.3.96L.1040925150944.79682C-100000@fledge.watson.org> <200409251502.34281.sam@errno.com> <Pine.BSF.4.53.0409252349140.93902@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Saturday 25 September 2004 04:50 pm, Bjoern A. Zeeb wrote:
> On Sat, 25 Sep 2004, Sam Leffler wrote:
> > > > That's a 216 byte packet, fwiw.  I instrumented key.c and ran into
> > > > the following ENOBUFS case on key.c:6957:
> > > >
> > > >         /* align the mbuf chain so that extensions are in contiguous
> > > > region. */ error = key_align(m, &mh);
> > > >         if (error)
> > > >                 return error;
> > > >
> > > >         if (m->m_next) {        /*XXX*/
> > > >                 m_freem(m);
> > > >                 return ENOBUFS;
> > > >         }
> > > >
> > > > I.e., the author knew it was a bug (feature) that an additional mbuf
> > > > couldn't be handled here, but we do need to handle one.  Looks like
> > > > much of the surrounding code could be replaced with a call to
> > > > m_defrag() and/or m_pullup().
> > >
> > > Just to mention that i too experience this problem,
> > > but with FAST_IPSEC so this probably means that if any fix will be made
> > > for netkey/key.c then netipsec/key.c will need it too.(as far as i can
> > > tell) Please correct me if i'm wrong.
> >
> > Correct.  I gave Robert a fix that was sent to me for fast ipsec.  I was
> > going to commit it this weekend after some testing.
>
> could you perhaps post it or place it somewhere for download ?

sam         2004-09-26 02:01:27 UTC

  FreeBSD src repository

  Modified files:
    sys/netipsec         key.c 
  Log:
  Correct handling of SADB_UPDATE and SADB_ADD requests.  key_align may split
  the mbuf due to use of m_pulldown.  Discarding the result because of this
  does not make sense as no subsequent code depends on the entire msg being
  linearized (only the individual pieces).  It's likely something else is 
wrong
  here but for now this appears to get things back to a working state.
  
  Submitted by:   Roselyn Lee
  
  Revision  Changes    Path
  1.17      +0 -5      src/sys/netipsec/key.c
http://cvsweb.FreeBSD.org/src/sys/netipsec/key.c.diff?r1=1.16&r2=1.17

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409251938.28089.sam>