Subject: Re: panic: ipsec4_splithdr: first mbuf too short
To: None <>
From: Michael van Elst <>
List: tech-net
Date: 06/15/2006 09:08:45 (Martin Husemann) writes:

>On Thu, Jun 15, 2006 at 08:31:12AM +0000, Emmanuel Dreyfus wrote:
>> I experienced this unpleasant panic. I wonder if this issue is caused
>> by some kernel data inconsistency (which means that the panic is legitimate),
>> or by a bogus packet (which means we should only issue a warning and drop
>> the packet).

>Or just m_pullup()? (no idea what ipsec splithdr does, so this might be a
>stupid suggestion)

It removes the IP header from an _outgoing_ packet before encapsulation.

If the packet is generated on the host itself, the panic could be ok.
If the packet is received and routed into an ipsec tunnel, it should
have been dropped before. Maybe there is some optimization that
skips checks for routed packets?

                                Michael van Elst
                                "A potential Snark may lurk in every tree."