On Thu, Oct 13, 2016 at 13:48 +0200, Mike Belopuhov wrote: > On Thu, Oct 13, 2016 at 11:06 +0000, Christian Weisgerber wrote: > > On 2016-10-12, Christian Weisgerber <na...@mips.inka.de> wrote: > > > > > After the second m_makespace(): > > > > > > +------+-----+ +------+ +--------+-----+ > > > | IPv6 | ESP | ---- | IPv6 | ---- | ICMPv6 | ESP | > > > +------+-----+ +------+ +--------+-----+ > > > > > > With m_inject(), it would instead be something like this: > > > > > > +------+ +-----+ +------+ +-------- > > > | IPv6 |----| ESP | ---- | IPv6 | ---- | ICMPv6 ... > > > +------+ +-----+ +------+ +-------- > > > > Found it. It's this snippet of nd6_ns_output() that handles those > > mbuf chains differently: > > > > 454 if (ln && ln->ln_hold) { > > 455 hip6 = mtod(ln->ln_hold, struct ip6_hdr *); > > 456 /* XXX pullup? */ > > 457 if (sizeof(*hip6) < ln->ln_hold->m_len) > > 458 saddr6 = &hip6->ip6_src; > > 459 else > > 460 saddr6 = NULL; > > 461 } else > > 462 saddr6 = NULL; > > > > Did this only ever work by accident? > > > > Does reversing this condition work? (sizeof > m_len) > I believe the comment about pullup is pointless. > > FreeBSD has moved this code into nd6_llinfo_get_holdsrc and > fixed this condition in this diff: > https://svnweb.freebsd.org/base?view=revision&revision=288652 >
I wonder if KAME people are actually right and we don't need to check this at all. Can we get a packet w/o an IPv6 header there or an mbuf chain with an empty first mbuf? https://github.com/kame/kame/blob/master/kame/sys/netinet6/nd6_nbr.c#L520 > > -- > > Christian "naddy" Weisgerber na...@mips.inka.de > >