From owner-freebsd-net@FreeBSD.ORG  Tue Aug 28 15:33:58 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 91AF016A41B
	for <freebsd-net@freebsd.org>; Tue, 28 Aug 2007 15:33:58 +0000 (UTC)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp
	[202.249.10.124])
	by mx1.freebsd.org (Postfix) with ESMTP id 5FC4813C46C
	for <freebsd-net@freebsd.org>; Tue, 28 Aug 2007 15:33:58 +0000 (UTC)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from jmb.local (pc2.htonk-unet.ocn.ne.jp [60.32.109.194])
	by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id 803F77301E;
	Wed, 29 Aug 2007 00:28:56 +0900 (JST)
Date: Wed, 29 Aug 2007 00:28:47 +0900
Message-ID: <m1tzqjsmog.wl%jinmei@isl.rdc.toshiba.co.jp>
From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?=
	<jinmei@isl.rdc.toshiba.co.jp>
To: blue <susan.lan@zyxel.com.tw>
In-Reply-To: <46D40BB7.4060100@zyxel.com.tw>
References: <46D38543.4020507@zyxel.com.tw>
	<m11wdote2t.wl%jinmei@isl.rdc.toshiba.co.jp>
	<46D3B747.1090903@zyxel.com.tw>
	<20070828092348.Y87821@maildrop.int.zabbadoz.net>
	<46D40BB7.4060100@zyxel.com.tw>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.0 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-net@freebsd.org
Subject: Re: infinite loop in esp6_ctlinput()?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2007 15:33:58 -0000

At Tue, 28 Aug 2007 19:49:11 +0800,
blue <susan.lan@zyxel.com.tw> wrote:

> According to the GDB backtrace, I think this is what I am talking about.
> 
> Besides, this would result in infinite loop just by looking at the 
> codes. However, the author seems knowing the problem, too. The comments 
> in esp6_ctlinput() point out:
>           /*
>          * Although pfctlinput2 will call esp6_ctlinput(), there is
>          * no possibility of an infinite loop of function calls,
>          * because we don't pass the inner IPv6 header.
>           */
> 
> I am not sure what the description means. The behavior of 
> esp6_ctlinput() is the same in HEAD, too.

This means that variable 'ip6' should be NULL for the second time
esp6_ctlinput() is called in the esp_input.c ("non-FAST" IPSEC)
version.  It prevents the function calls from making an infinite loop.

On the other hand, the ipsec_input.c (FAST_IPSEC) version only seems
to check ip6ctlparam * ('d') is NULL, making the infinite sequence of
calls possible.

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp