Hi,
The IPv6 routing header type 0 check should modify *offp only in
case of an error, so that the genrated icmp6 packet has the correct
pointer. After successful return, *offp should not be modified.
ok?
bluhm
Index: netinet6/ip6_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_input.c,v
retrieving revision 1.250
diff -u -p -r1.250 ip6_input.c
--- netinet6/ip6_input.c 6 Aug 2022 15:57:59 -0000 1.250
+++ netinet6/ip6_input.c 11 Aug 2022 19:36:22 -0000
@@ -695,21 +695,23 @@ ip6_check_rh0hdr(struct mbuf *m, int *of
do {
switch (proto) {
case IPPROTO_ROUTING:
- *offp = off;
if (rh_cnt++) {
/* more than one rh header present */
+ *offp = off;
return (1);
}
if (off + sizeof(rthdr) > lim) {
/* packet to short to make sense */
+ *offp = off;
return (1);
}
m_copydata(m, off, sizeof(rthdr), &rthdr);
if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
- *offp += offsetof(struct ip6_rthdr, ip6r_type);
+ *offp = off +
+ offsetof(struct ip6_rthdr, ip6r_type);
return (1);
}
