On Tue, Feb 22, 2011 at 10:55:01AM -0700, Miod Vallat wrote:
> The following reply was made to PR kernel/6554; it has been noted by GNATS.
>
> From: Miod Vallat <[email protected]>
> To: [email protected]
> Cc: [email protected]
> Subject: Re: kernel/6554: IPSEC + GRE + carp crash and lockup
> Date: Tue, 22 Feb 2011 17:43:15 +0000
>
> Does the following diff help?
>
> Index: if_gre.c
> ===================================================================
> RCS file: /cvs/src/sys/net/if_gre.c,v
> retrieving revision 1.52
> diff -u -p -r1.52 if_gre.c
> --- if_gre.c 23 Sep 2010 11:34:50 -0000 1.52
> +++ if_gre.c 22 Feb 2011 17:41:54 -0000
> @@ -415,6 +415,15 @@ gre_output(struct ifnet *ifp, struct mbu
> goto end;
> }
>
> + if (m->m_len < sizeof(struct greip)) {
> + m = m_pullup(m, sizeof(struct ip));
Shouldn't we pullup sizeof(struct greip) instead of sizeof(struct ip)?
> + if (m == NULL) {
> + IF_DROP(&ifp->if_snd);
> + error = ENOBUFS;
> + goto end;
> + }
> + }
> +
> gh = mtod(m, struct greip *);
> if (sc->g_proto == IPPROTO_GRE) {
> /* We don't support any GRE flags for now */
>
I also wonder why we should hit that case in the IPPROTO_GRE case.
The last thing we do in the IPPROTO_GRE case is:
M_PREPEND(m, sizeof(struct greip), M_DONTWAIT);
plus
if (m == NULL) {
...
goto end;
}
So I can't see how it is possible to end up with an mbuf that has less
then sizeof(struct greip) available.
The IPPROTO_MOBILE is a different story (the mbuf handling in this case is
a bit crazy and I don't understand how it will work with IP options) but
IPPROTO_MOBILE is not used in this case.
--
:wq Claudio
