On Thu, Oct 13, 2016 at 11:06 +0000, Christian Weisgerber wrote:
> On 2016-10-12, Christian Weisgerber <na...@mips.inka.de> wrote:
> 
> > After the second m_makespace():
> >
> >     +------+-----+      +------+      +--------+-----+
> >     | IPv6 | ESP | ---- | IPv6 | ---- | ICMPv6 | ESP |
> >     +------+-----+      +------+      +--------+-----+
> >
> > With m_inject(), it would instead be something like this:
> >
> >     +------+    +-----+      +------+      +--------
> >     | IPv6 |----| ESP | ---- | IPv6 | ---- | ICMPv6  ...
> >     +------+    +-----+      +------+      +--------
> 
> Found it.  It's this snippet of nd6_ns_output() that handles those
> mbuf chains differently:
> 
>     454                 if (ln && ln->ln_hold) {
>     455                         hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
>     456                         /* XXX pullup? */
>     457                         if (sizeof(*hip6) < ln->ln_hold->m_len)
>     458                                 saddr6 = &hip6->ip6_src;
>     459                         else
>     460                                 saddr6 = NULL;
>     461                 } else
>     462                         saddr6 = NULL;
> 
> Did this only ever work by accident?
>

Does reversing this condition work? (sizeof > m_len)
I believe the comment about pullup is pointless.

FreeBSD has moved this code into nd6_llinfo_get_holdsrc and
fixed this condition in this diff:
https://svnweb.freebsd.org/base?view=revision&revision=288652

> -- 
> Christian "naddy" Weisgerber                          na...@mips.inka.de
> 

Reply via email to