Subject: Re: panic: ipsec4_splithdr: first mbuf too short
To: Michael van Elst <>
From: Bill Studenmund <>
List: tech-net
Date: 06/19/2006 21:25:54
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 15, 2006 at 09:08:45AM +0000, Michael van Elst wrote:
> (Martin Husemann) writes:
> >On Thu, Jun 15, 2006 at 08:31:12AM +0000, Emmanuel Dreyfus wrote:
> >> I experienced this unpleasant panic. I wonder if this issue is caused
> >> by some kernel data inconsistency (which means that the panic is legit=
> >> or by a bogus packet (which means we should only issue a warning and d=
> >> the packet).
> >Or just m_pullup()? (no idea what ipsec splithdr does, so this might be a
> >stupid suggestion)
> It removes the IP header from an _outgoing_ packet before encapsulation.
> If the packet is generated on the host itself, the panic could be ok.
> If the packet is received and routed into an ipsec tunnel, it should
> have been dropped before. Maybe there is some optimization that
> skips checks for routed packets?

Actually, this can readily happen if something calls m_pulldown(). It will
leave a small or zero-length (I think zero, but I'm not 100% sure) mbuf at
the head of the chain and have everything in the next PDU along.

While I agree we should drop a packet that has zero length, just because=20
the first mbuf has zero length doesn't mean we should throw the thing out.=
:-) Look at the next mbuf in the chain.

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)