From: bluhm Date: Fri, 12 Aug 2022 12:08:54 +0000 (+0000) Subject: At successful return ip6_check_rh0hdr() keeps *offp unmodified. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f42e2e0a6c82573a95292904e86a430ee909df9c;p=openbsd At successful return ip6_check_rh0hdr() keeps *offp unmodified. The IPv6 routing header type 0 check should modify *offp only in case of an error, so that the generated icmp6 packet has the correct pointer. OK sashan@ --- diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 6a4c8c1d004..d71441d8dbb 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.250 2022/08/06 15:57:59 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.251 2022/08/12 12:08:54 bluhm Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -695,21 +695,23 @@ ip6_check_rh0hdr(struct mbuf *m, int *offp) do { switch (proto) { case IPPROTO_ROUTING: - *offp = off; if (rh_cnt++) { /* more than one rh header present */ + *offp = off; return (1); } if (off + sizeof(rthdr) > lim) { /* packet to short to make sense */ + *offp = off; return (1); } m_copydata(m, off, sizeof(rthdr), &rthdr); if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { - *offp += offsetof(struct ip6_rthdr, ip6r_type); + *offp = off + + offsetof(struct ip6_rthdr, ip6r_type); return (1); }