From d31944e6ec798fa765ad8608b52b2fe32435030a Mon Sep 17 00:00:00 2001
From: Jun-ichiro itojun Hagino <itojun@FreeBSD.org>
Date: Mon, 23 Oct 2000 07:11:01 +0000
Subject: [PATCH] be careful on mbuf overrun on ctlinput. short icmp6 packet
 may be able to panic the kernel. sync with kame.

---
 sys/netinet/tcp_subr.c     | 7 ++++++-
 sys/netinet/tcp_timewait.c | 7 ++++++-
 sys/netinet6/udp6_usrreq.c | 6 +++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 4541f4e06ed5..25c9b66b9da6 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1012,6 +1012,7 @@ tcp6_ctlinput(cmd, sa, d)
 	} else {
 		m = NULL;
 		ip6 = NULL;
+		off = 0;	/* fool gcc */
 	}
 
 	/*
@@ -1036,7 +1037,11 @@ tcp6_ctlinput(cmd, sa, d)
 		    m->m_pkthdr.rcvif != NULL)
 			s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
 
-		if (m->m_len < off + sizeof(*thp)) {
+		/* check if we can safely examine src and dst ports */
+		if (m->m_pkthdr.len < off + sizeof(th))
+			return;
+
+		if (m->m_len < off + sizeof(th)) {
 			/*
 			 * this should be rare case
 			 * because now MINCLSIZE is "(MHLEN + 1)",
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 4541f4e06ed5..25c9b66b9da6 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -1012,6 +1012,7 @@ tcp6_ctlinput(cmd, sa, d)
 	} else {
 		m = NULL;
 		ip6 = NULL;
+		off = 0;	/* fool gcc */
 	}
 
 	/*
@@ -1036,7 +1037,11 @@ tcp6_ctlinput(cmd, sa, d)
 		    m->m_pkthdr.rcvif != NULL)
 			s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
 
-		if (m->m_len < off + sizeof(*thp)) {
+		/* check if we can safely examine src and dst ports */
+		if (m->m_pkthdr.len < off + sizeof(th))
+			return;
+
+		if (m->m_len < off + sizeof(th)) {
 			/*
 			 * this should be rare case
 			 * because now MINCLSIZE is "(MHLEN + 1)",
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index beda1e92db09..bb0ae73b885f 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$KAME: udp6_usrreq.c,v 1.11 2000/06/18 06:23:06 jinmei Exp $	*/
+/*	$KAME: udp6_usrreq.c,v 1.17 2000/10/13 17:46:21 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -450,6 +450,10 @@ udp6_ctlinput(cmd, sa, d)
 		if (IN6_IS_ADDR_LINKLOCAL(&s))
 			s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
 
+		/* check if we can safely examine src and dst ports */
+		if (m->m_pkthdr.len < off + sizeof(uh))
+			return;
+
 		if (m->m_len < off + sizeof(uh)) {
 			/*
 			 * this should be rare case,