The following reply was made to PR kern/34212; it has been noted by GNATS.

From: "Darren Reed (NetBSD)" <darrenr@netbsd.org>
To: Martti Kuparinen <martti.kuparinen@iki.fi>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@NetBSD.org
Subject: Re: kern/34212
Date: Sun, 29 Oct 2006 14:50:59 -0800

 Can you dump the registers for this crash?
 What does "cr2 c1f77004" mean?  (It is closish to the mbuf)
 
 How do we know what triggered the crash?
 Can we tell null-deref vs bad address vs something else?
 
 I believe that the line it is crashing on is:
 savelen = oip6->ip6_plen
 
 The mbuf is saying the data section starts at 0xc1f71fd0, is valid
 for 1280 bytes...so %edi should be fine if it points straight to the
 old IPv6 header inside the ICMPv6 packet inside the IPv6 packet.
 
 fin_dp gives us an idea of what to expect, it's 0xc1f71ff8, or fin_ip
 (0xc1f71fd0) + 0x28 (40) - the size of the ICMPv6 header.
 
 Darren