infinite loop in esp6_ctlinput()?

blue susan.lan at zyxel.com.tw
Tue Aug 28 04:49:08 PDT 2007 

Hi,

According to the GDB backtrace, I think this is what I am talking about.

Besides, this would result in infinite loop just by looking at the 
codes. However, the author seems knowing the problem, too. The comments 
in esp6_ctlinput() point out:
          /*
         * Although pfctlinput2 will call esp6_ctlinput(), there is
         * no possibility of an infinite loop of function calls,
         * because we don't pass the inner IPv6 header.
          */

I am not sure what the description means. The behavior of 
esp6_ctlinput() is the same in HEAD, too.

Best regards,

Yi-Wen

Bjoern A. Zeeb wrote:

> On Tue, 28 Aug 2007, blue wrote:
>
> Hi,
>
>> Since our device adopts the IPsec codes from BSD, our device will 
>> have infinite loop after receiving ICMP packet too big message.
>> I am not sure whether BSD itself  will have the problem or not (maybe 
>> needs further testing). In IPSEC, esp6_ctlinput() still calls 
>> pfctlinput2(), which is the root cause of the infinite loop.
>
>
> you were talking about IPSEC vs. FAST_IPSEC so I guess you are on
> RELENG_6 or is that HEAD. Would be helpful to know where exactly
> (though I guess looking at the code I could find out).
>
> Is it the problem reported here[1] that you are describing?
>
>
> /bz
>
>
> [1] 
> http://lists.freebsd.org/pipermail/freebsd-current/2007-August/076478.html 
>
>
>> Best regards,
>>
>> Yi-Wen
>>
>> JINMEI Tatuya / ???? wrote:
>>
>>> At Tue, 28 Aug 2007 10:15:31 +0800,
>>> blue <susan.lan at zyxel.com.tw> wrote:
>>>
>>>
>>>> When receiving a "packet too big" ICMP error message, FreeBSD will 
>>>> call the ctlinput() function of the upper protocol. If the 
>>>> preceding packet is an ESP  IPv6 packet, then FreeBSD will call 
>>>> esp6_ctlinput(). In esp6_ctlinput(), pfctlinput2() will be executed 
>>>> to traverse all possible upper protocols, and call their registered 
>>>> ctlinput() function. However, that would call esp6_ctlinput() again 
>>>> since ESP is one of the upper protocols! Then an infinite loop 
>>>> occurs!!
>>>>
>>>
>>> From a quick look at the code, there's a slight difference between the
>>> IPSEC (netinet6/esp_input.c) and FAST_IPSEC (netipsec/ipsec_input.c)
>>> implementations.  I suspect the loop doesn't occur at least for the
>>> esp_input.c version.  Did you actually see the loop for both, or are
>>> you guessing from the code?
>>>
>>>
>>>> After comparing both IPSEC and FAST_IPSEC, the operations are 
>>>> exactly the same. Is it a bug?
>>>>
>>>
>>> If it actually causes an infinite loop, it's a bug, of course.
>>>
>>>                     JINMEI, Tatuya
>>>                     Communication Platform Lab.
>>>                     Corporate R&D Center, Toshiba Corp.
>>>                     jinmei at isl.rdc.toshiba.co.jp
>>>
>>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>

More information about the freebsd-net mailing list