Hello, I'm getting a crash in xfrm4_rcv_encap few seconds after setting up my IPSEC connection (tunnel for default route 0.0.0.0/0 to next router).
The call chain is:
softirq
...
net_rx_action
process_backlog
netif_receive_skb
ip_rcv
ip_local_deliver
xfrm4_rcv
xfrm4_rcv_encap
The crash occurs here:
87: 0f 85 5f 01 00 00 jne 1ec <xfrm4_rcv_encap+0x1ec>
8d: 8b 80 dc 00 00 00 mov 0xdc(%eax),%eax
93: 8b 55 c8 mov 0xffffffc8(%ebp),%edx
> 96: 66 39 10 cmp %dx,(%eax)
99: 0f 85 4d 01 00 00 jne 1ec <xfrm4_rcv_encap+0x1ec>
9f: 80 7f 71 00 cmpb $0x0,0x71(%edi)
a3: 74 12 je b7 <xfrm4_rcv_encap+0xb7>
With %eax being 0 at that point.
This corresponds to line 93 in xfrm4_input.c:
if (x->encap->encap_type != encap_type)
Where x->encap is NULL.
This line has been added there (moved around from esp_input) in this
patch titled "[IPSEC]: Kill unused decap state argument":
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e695633e21ffb6a443a8c2f8b3f095c7f1a48eb0
The check "(encap->encap_type != decap->decap_type)" removed from
esp_input was just inside an if block that checked for whether x->encap
was set: "if (x->encap) {...}" whereas the checked moved to
xfrm4_rcv_encap doesn't check for validity of x->encap.
So, my guess is that the check should be added there too (?)
--- linux.orig/net/ipv4/xfrm4_input.c 2006-04-03 16:24:47.000000000 +0200
+++ linux/net/ipv4/xfrm4_input.c 2006-04-03 23:31:00.000000000 +0200
@@ -90,7 +90,7 @@
if (unlikely(x->km.state != XFRM_STATE_VALID))
goto drop_unlock;
- if (x->encap->encap_type != encap_type)
+ if (x->encap && x->encap->encap_type != encap_type)
goto drop_unlock;
if (x->props.replay_window && xfrm_replay_check(x, seq))
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
