Hi, In may this year, the condition that would make this break do the right thing got removed and now if a short packet is sent to an ipsec-enabled bridge, various things like 'spi' and 'off' are left uninitialized, but thankfully the gettdb call that follows will most likely fail when presented with a random spi value. But it's a nasty bug nevertheless.
OK? diff --git sys/net/if_bridge.c sys/net/if_bridge.c index 0e048205475..33d4753fd6b 100644 --- sys/net/if_bridge.c +++ sys/net/if_bridge.c @@ -1404,11 +1404,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp, if (dir == BRIDGE_IN) { switch (af) { case AF_INET: if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) - break; + goto skiplookup; ip = mtod(m, struct ip *); proto = ip->ip_p; off = offsetof(struct ip, ip_p); @@ -1425,11 +1425,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp, break; #ifdef INET6 case AF_INET6: if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) - break; + goto skiplookup; ip6 = mtod(m, struct ip6_hdr *); /* XXX We should chase down the header chain */ proto = ip6->ip6_nxt;