IPSEC/FAST_IPSEC panic.

Gary Allan dragonfly at gallan.plus.com
Sat Apr 22 08:47:03 PDT 2006


I have been experiencing panics when testing IPSEC under HEAD. The 
Kernel panics when sending or receiving Authentication Headers (AH) and 
TCP connections encapsulated in ESP time out.

I've made some progress resolving the panic but I can't get IPSEC or 
FAST_IPSEC to work correctly. I've gone through the ipsec code looking 
for any glaring errors. Any help would be appreciated.

Regards

Gary

Communication between DragonFly Head and FreeBSD 4/6 using IPSEC.

options IPSEC
options	IPSEC_ESP
IPSEC AH	ICMP, UDP and TCP are working between PCs.
IPSEC ESP	ICMP and UDP work. TCP connections time out.
IPSEC AH-ESP	ICMP and UDP work. TCP connections time out.
options FAST_IPSEC

IPSEC AH	Kernel panic.
IPSEC ESP	ICMP, UDP and TCP are working between PCs.
IPSEC AH-ESP	Kernel panic.
flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E rijndael-cbc "123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E rijndael-cbc "123456789012345678901234";

spdadd 192.168.20.4 192.168.20.6 any -P out ipsec 
	esp/transport//require
	ah/transport//require;

Index: sys/netproto/ipsec/ipsec.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/ipsec.c,v
retrieving revision 1.13
diff -u -r1.13 ipsec.c
--- sys/netproto/ipsec/ipsec.c	14 Jan 2006 13:36:40 -0000	1.13
+++ sys/netproto/ipsec/ipsec.c	22 Apr 2006 12:01:51 -0000
@@ -672,7 +672,7 @@
 			spidx->dst.sin.sin_port = uh.uh_dport;
 			return;
 		case IPPROTO_AH:
-			if (m->m_pkthdr.len > off + sizeof(ip6e))
+			if (off + sizeof(ip6e) > m->m_pkthdr.len)
 				goto done;
 			/* XXX sigh, this works but is totally bogus */
 			m_copydata(m, off, sizeof(ip6e), (caddr_t) &ip6e);
Index: sys/netproto/ipsec/keysock.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/keysock.c,v
retrieving revision 1.11
diff -u -r1.11 keysock.c
--- sys/netproto/ipsec/keysock.c	14 Jan 2006 13:36:40 -0000	1.11
+++ sys/netproto/ipsec/keysock.c	19 Apr 2006 18:00:36 -0000
@@ -48,6 +48,7 @@
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 #include <sys/systm.h>
+#include <sys/thread2.h>
 
 #include <net/raw_cb.h>
 #include <net/route.h>
Index: sys/netproto/ipsec/xform_ipcomp.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/xform_ipcomp.c,v
retrieving revision 1.7
diff -u -r1.7 xform_ipcomp.c
--- sys/netproto/ipsec/xform_ipcomp.c	10 Jun 2005 23:59:31 -0000	1.7
+++ sys/netproto/ipsec/xform_ipcomp.c	19 Apr 2006 17:46:55 -0000
@@ -40,6 +40,7 @@
 #include <sys/kernel.h>
 #include <sys/protosw.h>
 #include <sys/sysctl.h>
+#include <sys/thread2.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>





More information about the Bugs mailing list