On Thu, Oct 13, 2016 at 13:48 +0200, Mike Belopuhov wrote:
> On Thu, Oct 13, 2016 at 11:06 +0000, Christian Weisgerber wrote:
> > On 2016-10-12, Christian Weisgerber <na...@mips.inka.de> wrote:
> >
> > > After the second m_makespace():
> > >
> > > +------+-----+ +------+ +--------+-----+
> > > | IPv6 | ESP | ---- | IPv6 | ---- | ICMPv6 | ESP |
> > > +------+-----+ +------+ +--------+-----+
> > >
> > > With m_inject(), it would instead be something like this:
> > >
> > > +------+ +-----+ +------+ +--------
> > > | IPv6 |----| ESP | ---- | IPv6 | ---- | ICMPv6 ...
> > > +------+ +-----+ +------+ +--------
> >
> > Found it. It's this snippet of nd6_ns_output() that handles those
> > mbuf chains differently:
> >
> > 454 if (ln && ln->ln_hold) {
> > 455 hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
> > 456 /* XXX pullup? */
> > 457 if (sizeof(*hip6) < ln->ln_hold->m_len)
> > 458 saddr6 = &hip6->ip6_src;
> > 459 else
> > 460 saddr6 = NULL;
> > 461 } else
> > 462 saddr6 = NULL;
> >
> > Did this only ever work by accident?
> >
>
> Does reversing this condition work? (sizeof > m_len)
> I believe the comment about pullup is pointless.
>
> FreeBSD has moved this code into nd6_llinfo_get_holdsrc and
> fixed this condition in this diff:
> https://svnweb.freebsd.org/base?view=revision&revision=288652
>
I wonder if KAME people are actually right and we don't need to
check this at all. Can we get a packet w/o an IPv6 header there
or an mbuf chain with an empty first mbuf?
https://github.com/kame/kame/blob/master/kame/sys/netinet6/nd6_nbr.c#L520
> > --
> > Christian "naddy" Weisgerber na...@mips.inka.de
> >
