CVS commit: [netbsd-8] src/sys/netinet6

Sun, 28 Apr 2024 03:15:26 -0700 

Module Name:    src
Committed By:   martin
Date:           Sun Apr 28 10:15:20 UTC 2024

Modified Files:
        src/sys/netinet6 [netbsd-8]: frag6.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1960):

        sys/netinet6/frag6.c: revision 1.78

frag6: fix calculation of fragment length

Because of the miscalculation, 32 bytes fragmented IPv6 packets
have been wrongly dropped.

See https://mail-index.netbsd.org/tech-net/2024/04/14/msg008741.html
for more details.

Patch from Yasuyuki KOZAKAI (with minor tweaks)


To generate a diff of this commit:
cvs rdiff -u -r1.60.6.6 -r1.60.6.7 src/sys/netinet6/frag6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.60.6.6 src/sys/netinet6/frag6.c:1.60.6.7
--- src/sys/netinet6/frag6.c:1.60.6.6	Thu Oct 27 16:08:50 2022
+++ src/sys/netinet6/frag6.c	Sun Apr 28 10:15:20 2024
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.60.6.6 2022/10/27 16:08:50 martin Exp $	*/
+/*	$NetBSD: frag6.c,v 1.60.6.7 2024/04/28 10:15:20 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.6 2022/10/27 16:08:50 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.7 2024/04/28 10:15:20 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -158,9 +158,10 @@ frag6_input(struct mbuf **mp, int *offp,
 	 * sizeof(struct ip6_frag) == 8
 	 * sizeof(struct ip6_hdr) = 40
 	 */
-	if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) &&
-	    (((ntohs(ip6->ip6_plen) - offset) == 0) ||
-	     ((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) {
+	frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset
+	    - sizeof(struct ip6_frag);
+	if ((frgpartlen == 0) ||
+	    ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && (frgpartlen & 0x7) != 0)) {
 		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
 		    offsetof(struct ip6_hdr, ip6_plen));
 		in6_ifstat_inc(dstifp, ifs6_reass_fail);
@@ -269,7 +270,6 @@ frag6_input(struct mbuf **mp, int *offp,
 	 * in size.
 	 * If it would exceed, discard the fragment and return an ICMP error.
 	 */
-	frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset;
 	if (q6->ip6q_unfrglen >= 0) {
 		/* The 1st fragment has already arrived. */
 		if (q6->ip6q_unfrglen + fragoff + frgpartlen > IPV6_MAXPACKET) {

Reply via email to