When gnrc_rpl_init was called from a thread with higher priority than
the RPL thread, the initializer's call to gnrc_netreg_register would be
executed before the event loop even had a chance to set up its message
queue.
The added short-lived lock makes it work from threads of any priority.
The gnrc_netif_ipv6_addr_add_internal() function unconditionally
acquires the global netif rmutex lock but doesn't release this lock on
this specific path (i.e. if gnrc_netif_ipv6_group_join_internal failed).
This can cause a deadlock as no other thread will afterwards be capable
of acquiring the netif lock.
Non-routing 6LNs do not have to join the solicited nodes address, so
probing for a neighbor using that address may be in vain and only
spamming the LLN with unnecessary messages. RFC 6775 basically assumes
this in section 5.2:
> There is no need to join the solicited-node multicast address, since
> nobody multicasts NSs in this type of network.
Using `gnrc_border_router` with `uhcp` is quite noisy.
uhcpc will regularly refresh the prefix and print a bunch of status messages.
Allow the user to tone it down by setting a higher `LOG_LEVEL`.
For this, convert calls to `printf()` and `puts()` to `LOG_xxx()`.
This requires a dummy header for `uhcpd`.
In accordance with RFC 6775, section 5.2 an NCE should be set STALE
when an ARO renews the address registration for the address:
> The routers SHOULD NOT garbage-collect Registered NCEs (see
> Section 3.4), since they need to retain them until the Registration
> Lifetime expires. Similarly, if NUD on the router determines that
> the host is UNREACHABLE (based on the logic in [RFC4861]), the NCE
> SHOULD NOT be deleted but rather retained until the Registration
> Lifetime expires. A renewed ARO should mark the cache entry as
> STALE. Thus, for 6LoWPAN routers, the Neighbor Cache doesn't behave
> like a cache. Instead, it behaves as a registry of all the host
> addresses that are attached to the router.
xtimer.h must not be included, when the xtimer module is not use. Otherwise
compilation on the waspmote-pro with https://github.com/RIOT-OS/RIOT/pull/14799
will not longer work. gnrc_netif_pktq includes xtimer.h and uses xtimer, but
gnrc_netif includes gnrc_netif_pktq.h regardless of whether gnrc_netif_pktq
is used. This makes sure that gnrc_netif_pktq.h is only included when actually
used.
When `nce` is NULL on the duplicate check, the later re-fetching of the
`nce` might result in an actual NCE entry that then contains a
duplicate, so we need to re-check the EUI-64 again as well.
This changes the prefixes of the symbols generated from USEMODULE and
USEPKG variables. The changes are as follow:
KCONFIG_MODULE_ => KCONFIG_USEMODULE_
KCONFIG_PKG_ => KCONFIG_USEPKG_
MODULE_ => USEMODULE_
PKG_ => USEPKG_
Replace direct accesses to sched_active_thread and sched_active_pid with
the helper functions thread_getpid() and thread_get_active(). This serves
two purposes:
1. It makes accidental writes to those variable from outside core less likely.
2. Casting off the volatile qualifier is now well contained to those two
functions
On receiving a DIO message, RPL sets the lifetime for the default
route and the parent timeout event to the value. This leads to short
amounts of time whem the node looses its default route, while it
handles the parent timeout event to probe its parent.
This commit fixes this by adding time the node needs for probing
to the default route lifetime.
These functions are independent from GNRC and can be used by stack-agnistoc
code.
Avoid pulling in a GNRC dependency by moving those two helper functions to
`netif`.
The old function names are kept as `static inline` wrapper functions to avoid
breaking API users.
Coverty scan found this:
> CID 298295 (#1 of 1): Operands don't affect result (CONSTANT_EXPRESSION_RESULT) result_independent_of_operands:
> (ipv6_hdr_get_fl(ipv6_hdr) & 255) >> 8 is 0 regardless of the values of its operands.
Looking at the code, this appears to be a copy & paste error from the previous line.
Coverty scan found this:
> CID 298279 (#1 of 1): Out-of-bounds read (OVERRUN)
> 21. overrun-local: Overrunning array of 16 bytes at byte offset 64 by dereferencing pointer
The original intention was probably to advance the destination pointer by 4 bytes, not
4 * the destination type size.
Using pointer difference already gives us the number of elements of
size of what the pointer is pointing to.
Dividing by size will lead to the wrong (always 0) result.
Since `min(a,b)` is a very frequently used function, several libraries such as ESP8266 SDK define a `MIN` macro in their header files. Therefore the `MIN` macro should be undefined before its definition to avoid compilation errors if it is defined anywhere else before.
This changes the configuration macro to be the exponent of 2^n, as the
mbox buffer size needs to be always power of 2. The macro now has the
GNRC prefix.
Also a compile configuration documentation group is created.
This changes the configuration macro to be the exponent of 2^n, as the
mbox buffer size needs to be always power of 2.
Also a compile configuration documentation group is created.
Introduced 'GNRC_PKTDUMP_MSG_QUEUE_SIZE_EXP' to hold exponent
value and made GNRC_PKTDUMP_MSG_QUEUE_SIZE dependant on
GNRC_PKTDUMP_MSG_QUEUE_SIZE_EXP.
Moved 'GNRC_PKTDUMP_MSG_QUEUE_SIZE_EXP' to 'CONFIG_' namespace.
Exposed configurations to Kconfig
Co-authored-by: Martine Lenders <mail@martine-lenders.eu>
Co-authored-by: Leandro Lanzieri <leandro.lanzieri@haw-hamburg.de>
The 6Lo network interfaces can only support a max_frag_size of
SIXLOWPAN_FRAG_MAX_LEN (2047 bytes) as the length field is only 11-bits.
This limits the max_frag_size in the case that the L2-PDU is higher than
that.
Signed-off-by: Jean Pierre Dudey <jeandudey@hotmail.com>
802.15.4g devices have a 2047 byte PDU.
So the assertion `netif->ipv6.mtu == IPV6_MIN_MTU` is too strict here.
This is only enforced on init, so changing the modulation at run-time
did not catch this bug.
To test, use e.g. `at86rf215` with
CFLAGS += -DAT86RF215_DEFAULT_PHY_MODE=IEEE802154_PHY_MR_OQPSK
fixes#14164
Add a message bus where threads can listen for nib events.
Currently only the GNRC_IPV6_NIB_EVENT_ADDR_VALID event is
implemented which informs subscribers that an address got
valid.
`od_hex_dump()` is called if `hdr_len < pkt->size` to print the rest
after `hdr_len` of `pkt`. So if we just leave `hdr_len = 0` instead of
calling `od_hex_dump()` for every other NETTYPE, we achieve the same
effect.
As it is more effective (and already done in some cases) to re-set
`hdr_len` when the header was printed, we initialize `hdr_len` first
with 0 now.
With multiple 6LoWPAN interfaces the router for the given interface
—the one the triggering RA came over—should be used to register the
address with.
Co-Authored-By: Benjamin Valentin <benpicco@googlemail.com>
Enabled by the gnrc_netif_events pseudo module. Using an internal event
loop within the gnrc_netif thread eliminates the risk of lost interrupts
and lets ISR events always be handled before any send/receive requests
from other threads are processed.
The events in the event loop is also a potential hook for MAC layers and
other link layer modules which may need to inject and process events
before any external IPC messages are handled.
Co-Authored-By: Koen Zandberg <koen@bergzand.net>
The termination condition implemented in gnrc_pktbuf_malloc does not
work when using the sock interface as sock copies packet data to a local
buffer and frees the packet afterwards. As such, the fuzzing application
would exit before performing any input processing.
For this reason, the termination condition in gnrc_pktbuf_malloc is
disabled when using sock. Instead, the application terminates if
gnrc_sock_recv previously returned the fuzzing packet. The underlying
assumption of this implementation is that gnrc_sock_recv is called in a
loop.
Since RIOT is an operating system the native binary will never terminate
[0]. The termination condition for fuzzing GNRC is that the packet was
handled by the network stack and therefore freed. If it is never freed
we will deadlock meaning a memory leak was found, afl should be able to
detect this through timeouts.
This is currently only supported for gnrc_pktbuf_malloc since this is
the pktbuf implementation I used for fuzzing. Implementing this in
pktbuf.h is not possible.
[0]: Except NATIVE_AUTO_EXIT is defined, however, even with that define
set RIOT will only terminate when all threads terminated. Unfortunately,
gnrc_udp and other network threads will never terminate.
We don't want to advertise ourselves as a router to the upstream router.
This also leads to the border router ignoring advertisements from the upstream
router.
In 06aa65e1ba (#10627) a new behavior was
introduced in IPv6 route resolution to try address resolution only at
interfaces that have the prefix of the address to be resolved configured
in the prefix list. This however only makes sense, if the prefix
configured is [on-link], otherwise there is small likelihood of the
address to be resolved being on that link.
For the error case presented for 06aa65e (circular routing at the border
router) this made sense, however within a 6LoWPAN, due to the prefix
being valid for the entire mesh, this leads to the nodes always trying
classic address resolution for in-network addresses instead of just
routing to the default route.
Classic address resolution however fails, as 6LoWPAN hosts typically
[don't join the solicited-node multicast address of their unicast
addresses][6LN-iface-init], resulting in in-network addresses not being
reachable.
As such, to prevent both error cases
- the fallback to address resolution by prefix list must only be used
when the prefix is on-link,
- the prefix configured by DHCPv6/UHCP at the 6LoWPAN border router
must be configured as on-link, but
- the prefix must not be advertised as on-link within the 6LoWPAN to
still be [in line with RFC 6775][RFC-6775-forbidden]
With this change these cases are covered.
[on-link]: https://tools.ietf.org/html/rfc4861#page-6
[RFC 6775]: https://tools.ietf.org/html/rfc6775
[6LN-iface-init]: https://tools.ietf.org/html/rfc6775#section-5.2
[RFC-6775-forbidden]: https://tools.ietf.org/html/rfc6775#section-6.1
When pinging to a prefix for which there is a prefix list entry on the
node (so no next hop) but a default route, a packet to a non-existent
address under that prefix results in the packet being forwarded to the
default route instead. This fixes it, so the node tries address
resolution on the interface the prefix list entry is associated to.
This is the radio found in NXP Kinetis KW41Z, KW21Z. Only 802.15.4 mode
is implemented (KW41Z also supports BLE on the same transceiver).
The driver uses vendor supplied initialization code for the low level
XCVR hardware, these files were imported from KSDK 2.2.0 (framework_5.3.5)
This adds a driver for the SPI based AT86RF215 transceiver.
The chip supports the IEEE Std 802.15.4-2015 and IEEE Std 802.15.4g-2012 standard.
This driver supports two versions of the chip:
- AT86RF215: dual sub-GHz & 2.4 GHz radio & baseband
- AT86RF215M: sub-GHz radio & baseband only
Both radios support the following PHY modes:
- MR-FSK
- MR-OFDM
- MR-O-QPKS
- O-QPSK (legacy)
The driver currently only implements support for legacy O-QPSK.
To use both interfaces, add
GNRC_NETIF_NUMOF := 2
to your Makefile.
The transceiver is able to send frames of up to 2047 bytes according to
IEEE 802.15.4g-2012 when operating in non-legacy mode.
Known issues:
- [ ] dBm setting values are bogus
- [ ] Channel spacing for sub-GHz MR-O-QPSK might be wrong
- [ ] TX/RX stress test will lock up the driver on openmote-b
`netopt_state_t` is an enumeration type which is not necessarily 1 byte. If `uint8_t` is used, the cast `*((const netopt_state_t*) val` in `sx127x_netdev::_set`tries to read the real size, which can be more than the given length of 1 byte. Therefore, `netstat_opt_t` has to be used instead of `uint8_t`
This updates (or adds) a compression context whenever a new prefix
arrives at the border router. This allows 6LoWPAN to compress said
prefix in the network.
Sadly, there is now way to just remove the context when the prefix is
overwritten, so I do not do it. If an administrator chooses to reset the
prefix they can use `6ctx del` which timeouts the prefix appropriately,
but IMHO it doesn't hurt to keep the old contexts.
The reassembly buffer only needs (and stores) the headers *before* the
fragment header (called per-fragment headers in RFC 8200, section 4.5).
Currently, when a subsequent IPv6 fragment is received before the first
fragment the fragment header is however not removed. With this fix it
does.
The comment exists since the introduction of the [original
implementation], but its meaning is unclear and misleading, as the code
doesn't do anything with link-local.
[original implementation]: https://github.com/RIOT-OS/RIOT/pull/3561
Rule 2 of the source address algorithm outlined in [RFC6724] states the
possible source addresses must also be compared among each other:
> Rule 2: Prefer appropriate scope.
> If Scope(SA) < Scope(SB): If Scope(SA) < Scope(D), then prefer SB and
> otherwise prefer SA. Similarly, if Scope(SB) < Scope(SA): If
> Scope(SB) < Scope(D), then prefer SA and otherwise prefer SB.
Our current implementation doesn't do that. It just checks if the scope
of a possible source is lesser than the scope of the destination
(which involves the second "If" in the rule).
This fix grants points according to the scope of an address. If the
scope matches, they get the highest points, ensuring that the selected
source will always be reachable from the destination.
[RFC6724]: https://tools.ietf.org/html/rfc6724
Having the definitions sit in the `net/gnrc/sixlowpan/frag.h` header
does not make much sense, when using Selective Fragment Forwarding
(and the fragmentation buffer already includes a
`net/gnrc/sixlowpan/frag/stats.h` header), so they are moved to their
own header. Since with this change it makes more sense to have the
statistics stored in their own sub-module, the pseudo-module is also
actualized.
A pointer is not 32 bit on all platforms.
Since gnrc_lwmac only stores 16 bit in the pointer variable it is
still save to cast like this even on AVR, but cast to uintptr_t
instead of uint32_t.
fixes#12869
When the destination address is the loopback address (`::1`) in GNRC
the selected network interface typically is `NULL`, as with GNRC no
loopback interface de facto exists. So the assertion when checking if
the source address is valid if `netif != NULL` fails on that check.
This change fixes that issue by checking if the destination address is
the loopback address, before checking the validity of the source
address.
The RTT callback for a super-frame cycle uses the `arg` pointer to set
the message value that then is handed to the GoMacH thread. However,
in both instances the timer is scheduled the constant
`GNRC_GOMACH_EVENT_RTT_NEW_CYCLE` is provided. This means the argument
is not really necessary.
This fits with the semantics of this function which doesn't provide or
uses any state of the reassembly buffer provided by the user, but finds
the entry itself and then removes it. This gives the user no chance to
remove the packet in the reassembly buffer entry, so
`gnrc_sixlowpan_frag_rb_rm_by_datagram()` has to release the packet
(other than `gnrc_sixlowpan_frag_rb_remove()` where not releasing the
packet is desired as it might be handed up to an upper layer).
This allows to set a timer between the completion of a datagram in the
reassembly buffer and the deletion of the corresponding reassembly
buffer entry. This allows to ignore potentially late incoming link-layer
duplicates of fragments of the datagram that then will have the
reassembly buffer entry be blocked.
This was noted in this [discussion] for classic 6LoWPAN reassembly (and
minimal fragment forwarding) and is recommended in the current
[selective fragment recovery draft][SFR draft].
[discussion]: https://mailarchive.ietf.org/arch/msg/6lo/Ez0tzZDqawVn6AFhYzAFWUOtJns
[SFR draft]: https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-07#section-6
As analyzed in #12678 there are cases where different reports can be
generated for the different snips of the packet send via the `sock`.
To catch all errors generated by the stack, the sock has to subscribe
for all snips of the packet sent. If any of the snips reports an error
distinct from `GNRC_NETERR_SUCCESS` or the previous one, we report that
status instead of just the first we receive. This way we are ensured to
have the first error reported by the stack for the given packet.
The name `fragment_msg` or `frag_msg`/`msg_frag` always to me was a bit
misplaced, as it basically implements an asynchronous fragmentation
buffer and doesn't necessarily have anything to do with messages.
This change
1. changes the name to `fb` (for fragmentation buffer)
2. factors its code out to its own sub-module so it can be re-used by
other 6LoWPAN fragmentation schemes like [Selective Fragment
Recovery]
[Selective Fragment Recovery]: https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-05
The interface is already fetched in the beginning of the function and
doesn't change during its run, so getting the interface again at this
point is just redundant.
When decoding IPHC in a fragmented datagram, relying on the size of the
allocated space for the decoded packet is wrong when fragments are
forwarded and decoded on an intermediate node (for which the reassembly
buffer's space is used): Using the full datagram size for allocation in
this case would be wasteful, so the allocated space is only marginally
larger than the fragment's compressed form.
This in turn results in the wrong UDP payload size being chosen and
even worse being forwarded to the subsequent nodes.
This change uses the (virtual) reassembly buffer's `datagram_size`
instead of relying on the allocated space for the encoded
datagram/fragment.
`_match_to_idx()` was removed from source address selection (which was
the only one setting the filter parameter to a non-NULL value), so it
is the parameter is not needed anymore.
When source address selection is done, both RFC and comments in the code
state, that a longest prefix match should *only* be used as a
tie-breaker between more than one viable candidate. If there is only one
address, there is
a) no need for a tie-breaker
b) in the case of either the destination address or the single remaining
address being ULAs ([which are considered to be of global scope]
[RFC4193]) possibly not matching, as `fd00::/7` and e.g. `2001::/8`
do not have a common prefix.
(b) in fact causes the match function to return -1, causing the source
address selection to return -1, causing the outer function to return the
first address it found (which most often is the link-local address),
causing e.g. a ping to an ULA to fail, even is there is a global
address.
[RFC4193]: https://tools.ietf.org/html/rfc4193
Different platforms evaluate `printf()` for NULL pointers differently,
resulting tests checking for a certain output to fail. This unifies that
(debug) output for the static packet buffer statistics.
Similar as with #12513, when the NIB is compiled in 6LN mode (but not
6LR mode), the address-resolution state-machine (ARSM) functionality is
disabled in favor of the more simpler address resolution proposed in RFC
6775.
However, if a non-6LN interface is also compiled in (without making it
a router or border router) it will never join the solicited-nodes
multicast address of addresses added to it, resulting in address
resolution to that interface to fail.
If the interface is not a 6LN (which in case 6LN mode is disabled is
always false), a warning is now printed, encouraging the user to
activate the ARSM functionality if needed.
When the NIB is compiled for 6LN mode (but not a 6LBR), the Stateless
Address Autoconfiguration (SLAAC) functionality is disabled, as it is
typically not required; see `sys/include/net/gnrc/ipv6/nib/conf.h`, ll.
46 and 55. However, if a non-6LN interface is also compiled in (still
without making the node a border router) an auto-configured address will
be assigned in accordance with [RFC 6775] to the interface, just
assuming the interface is a 6LN interface. As it then only performs
duplicate address detection RFC-6775-style then, the address then never
becomes valid, as the duplicate address detection according to [RFC
4862] (part of the SLAAC functionality) is never performed.
As auto-configuring an address without SLAAC doesn't make sense, this
fix makes the interface skip it completely, but provides a warning to
the user, so they know what to do.
[RFC 6775]: https://tools.ietf.org/html/rfc6775#section-5.2
[RFC 4862]: https://tools.ietf.org/html/rfc4862#section-5.4
The functions now are semantic distinct:
- gnrc_netif_is_6lo(): the interface is a 6Lo interface
- gnrc_netif_is_6ln(): the interface is using Neighbor Discovery
according to RFC 6775
We want to check if the interface is an interface requiring the 6Lo
adaptation layer, not if it is a 6LN according to RFC 6775 [[1]].
[1]: https://tools.ietf.org/html/rfc6775#section-2
When writing to the IPv6 header the implementation currently doesn't
take the packet with the (potentially) duplicated header, but the
packet with the original one, which leads to the packet sent and then
released in `gnrc_netif_ethernet.c` first and then accessed again in
further iterations of the "writing to the IPv6 header" loop, which
causes access to an invalid pointer, causing a crash.
Fixes#11980
While 485dbd1fda (from #12175) was right
in assuming that the for most ICMPv6 error messages the originating
packet's destination address must not be a multicast, this is not the
case for _all_ ICMPv6 error messages (see [RFC 4443], section 2.4(e.3)).
Additionally, 485dbd1fda removed the
check for the source address ([RFC 4443], section 2.4(e.6)), which this
PR re-adds.
[RFC 4443]: https://tools.ietf.org/html/rfc4443#section-2.4
Rather than dispatching the packet automatically once it is complete,
`gnrc_sixlowpan_frag_rb_add()` now only returns success, and leaves it
to the caller to dispatch the packet.
While it is correct to not use an invalid address as a source address,
it is incorrect to assume that addresses not assigned to the interface
(`idx == -1` in the respective piece of code) are invalid: Other than
classic forwarding via a FIB, forwarded packets utilizing a IPv6
routing header will pass this check, like any other packet sent by this
node. The source address for these is not on the given node, so e.g.
source routing is not possible at the moment.
The IPv6 (extension) headers of the first fragment received are re-used
for the reassembled packet, so when receiving a subsequent packet we
need to distinguish, if we just want to release the payload or all of
the packet after the packet data was added to the reassembly buffer.
Due to some changes to the minimal forwarding draft and in preparation
for Selective Fragment Recovery some changes to the VRB API were
needed. Now the index of a VRB entry is only (L2 src, tag) not as
before (L2 src, L2 dst, length, tag).
I know that the current `rbuf_base` causes waste, as all the fields not
used by the new index are effectively not used by the VRB. I'd like to
fix that however in a later change, since that also requires some
modifications of the classic reassembly buffer, and thus would
complicate the review and testing of the change.
Sources for the index change:
- https://tools.ietf.org/html/draft-ietf-6lo-minimal-fragment-04#section-1
- https://mailarchive.ietf.org/arch/browse/6lo/?gbt=1&index=DLCTxC2X4bRNtYPHhtEkavMWlz4
TCP options have up to three fields (kind, length, value). The
current code only checks for the presence of the first field. Before
accessing the second field (length) the code must ensure that a length
field is even present.
A received packet is outputted in DEBUG _after_ it was already parsed,
but with a reference to the already parsed header. The result is that
there can be some garbage in the output and the packet is not dumped in
total. As without parsing we do not have access to the header yet, we
use the `gnrc_netif_addr_to_str()` helper function instead of parsing
the destination address by hand.
before this commit the src address was checked for multicast, but the dst address should be checked. Therefore udp multicast packets would be flooded back to the src as ICMPv6 error, as not all nodes had a UDP receiver registered.
From the gnrc_pktbuf_mark documentation:
It's not guaranteed that `result->data` points to the
same address as the original `pkt->data.
Thus it should be necessary to update the `hdr` pointer.
If an address was pre-configured by the upper layer its validity is
currently ignored. It is neither checked if the address is on the
interface at all nor is it checked if it is valid.
This change provides a fix for that by checking both facts.
When reworking the reception of IPv6 packets I reset a previously set
`ipv6` snip as follows when the IPv6 extension handler returns a
packet (see first hunk of this commit):
```C
ipv6 = pkt->next->next
```
With `gnrc_ipv6_ext` this makes *somewhat* sense, `pkt->next` was
previously equal to `ipv6` and after the function call `pkt->next`
is the marked extension header, while `pkt->next->next` is the IPv6
header. However, since `ipv6` is already write-protected i.e.
`ipv6->users == 1` (see ll. 665-675), any additional call of
`gnrc_pktbuf_start_write()` [won't][start-write-doc] duplicate the
packet. In fact, the only `gnrc_pktbuf_start_write()` in
`gnrc_ipv6_ext` is used to send the *result* to the subscribers of that
extension header type, leaving the original packet unchanged for the
caller. As such `ipv6` remains the pointer to the IPv6 header whether
we set it in the line above or not. So we actually don't need that
line.
However, the extension header handling also returns a packet when
`gnrc_ipv6_ext` is not compiled in. In that case it is just a dummy
define that returns the packet you give provide it which means that
this still holds true: `pkt->next == ipv6`.
So setting `ipv6` in this case is actually harmful, as `ipv6` now
points to the NETIF header [following the IPv6 header][pkt-structure]
in the packet and this causes the `user` counter of that NETIF header
`hdr` to be decremented if `hdr->users > 1` in the write-protection I
removed in hunk 2 of this commit:
```C
/* pkt might not be writable yet, if header was given above */
ipv6 = gnrc_pktbuf_start_write(ipv6);
if (ipv6 == NULL) {
DEBUG("ipv6: unable to get write access to packet: dropping it\n");
gnrc_pktbuf_release(pkt);
return;
}
```
But as we already established, `ipv6->users` is already 1, so we don't
actually need the write protection here either.
Since the packet stays unchanged after the `ipv6` snip, we also don't
need to re-search for `netif_hdr` after the other two lines are
removed.
[start-write-doc]: https://doc.riot-os.org/group__net__gnrc__pktbuf.html#ga640418467294ae3d408c109ab27bd617
[pkt-structure]: https://doc.riot-os.org/group__net__gnrc__pkt.html#ga278e783e56a5ee6f1bd7b81077ed82a7
The `addr` parameter of the NIB's `_handle_dad()` function can come
from anywhere (e.g. in the fallback to classic SLAAC the destination
address of the IP header is used), so putting that pointer in a timer
is not a good idea. Instead we use the version of the address that is
stored within the interface.
`_demux()` might change `pkt->data` in all kind of ways (moving it due
to `gnrc_pktbuf_mark()`, though unlikely; releasing it, because e.g. it
starts with a fragment header that marks a fragmented packet containing
only one fragment, etc.) so accessing the pointer *after* calling
`_demux()` is somewhat playing with fire. This change avoids this by
storing the value of `ext_hdr->nh` (all we are interested in here) in a
temporary variable that then is used to set the out-parameter `nh`.
`protnum` needs to be unchanged before the call to `_demux()` as it was
set by the previous iteration and determines what extension header
actually is handled.
If the interface's link-layer doesn't use link-layer addresses it
obviously doesn't make sense to auto-configure an IPv6 address from it.
Moreover, I think the address `fe80::` is actual illegal, but I
couldn't find any references for it.