svn commit: r313054 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Wed Feb 1 21:03:24 UTC 2017
Author: ae
Date: Wed Feb 1 21:03:22 2017
New Revision: 313054
URL: https://svnweb.freebsd.org/changeset/base/313054
Log:
Fix IP length before invoking ipsec_run_hhooks().
This fixes tcpdump's complains about truncated ip6 packets, when
it listens on the enc(4) interface. Tested with scenario described in
PR 216681.
Modified:
projects/ipsec/sys/netipsec/ipsec_output.c
Modified: projects/ipsec/sys/netipsec/ipsec_output.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec_output.c Wed Feb 1 20:50:44 2017 (r313053)
+++ projects/ipsec/sys/netipsec/ipsec_output.c Wed Feb 1 21:03:22 2017 (r313054)
@@ -519,12 +519,15 @@ ipsec6_perform_request(struct mbuf *m, s
goto bad;
}
+ /* Fix IP length in case if it is not set yet. */
+ ip6 = mtod(m, struct ip6_hdr *);
+ ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
+
IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET6, IPSEC_ENC_BEFORE);
if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
goto bad;
- ip6 = mtod(m, struct ip6_hdr *);
- ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
+ ip6 = mtod(m, struct ip6_hdr *); /* pfil can change mbuf */
dst = &sav->sah->saidx.dst;
/* Do the appropriate encapsulation, if necessary */
More information about the svn-src-projects
mailing list