fix for IPSEC-IPV4 breakage

Matthew Dillon dillon at
Wed Oct 13 16:49:54 PDT 2004

:Hi Folks,
:The attached patch fixes panics in tcp_input() / udp_input() when
:an esp/transport mode is used _with_ cbc-block encryption.
:Both tcp_input and udp_input assume that that full ip/tcp or ip/udp
:header is in the first mbuf.
:When esp w. block encryption is used, this wasn't the case, as
:esp_cbc_decrypt() (called from esp4_input) was allocating a
:new mbuf and decrypting it's payload into that mbuf, leaving
:only the IP part of the header in the first mbuf.
:The attached patch back-copies the decrypted payload back into 
:the first mbuf, and blows away the copy mbuf. This appears to

    Our new TCP and UDP protocol stacks require the entire header
    to reside in the first mbuf and assert if it isn't.

    You have the correct solution, but could you use m_pullup() instead 
    of manually manipulating the mbuf?  I think m_pullup() will do the
    job here.

:I'm not sure how this worked before (tried it in 4.9 and it
:works somehow), or when it broke, but it's nothing if not
:nasty.  :) :)

    4.9 doesn't have the same requirement on entry to the protocol stack.

					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Submit mailing list