---
- branch: netbsd-8
  date: Sat Jun 23 11:03:27 UTC 2018
  files:
  - new: 1.211.6.7
    old: 1.211.6.6
    path: src/sys/netinet6/icmp6.c
    pathrev: src/sys/netinet6/icmp6.c@1.211.6.7
    type: modified
  id: 20180623T110327Z.3adbe01c077b3c29d7030a2e6372c90cf47db17f
  log: "Pull up following revision(s) (requested by maxv in ticket #893):\n\n\tsys/netinet6/icmp6.c:
    revision 1.228,1.230\n\nRemove the RH0 code from ICMPv6. RH0 is deprecated by
    RFC5095 (2007) for\nsecurity reasons. We already removed it in Route6.\n\nIn addition
    there was an mbuf bug here: calling IP6_EXTHDR_GET twice with\nthe same offset,
    but still using the pointer from the first call, which\ncould have been made invalid.
    By luck, m_pulldown leaves zero-sized mbufs\nin place, instead of freeing them.\n\nAnd
    in general, using a 'finaldst' pointer on the mbuf, and then modifying\nthat mbuf
    with IP6_EXTHDR_GET with a smaller offset, was really error-\nprone.\n\nFix 'icmp6len',
    it shouldn't be ip6_plen, because we may not be at the\nbeginning of the packet
    (off+ip6_plen is beyond the end of the mbuf). By\nluck, the IP6_EXTHDR_GET that
    follows will fail and prevent buffer\noverflows in non-jumbogram packets.\n\nFor
    jumbograms we will probably be in trouble here; but it doesn't seem\npossible
    to craft reliably a jumbogram for a non-jumbogram-enabled device.\n\nSo I don't
    think it's a huge problem.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netinet6'
  unixtime: '1529751807'
  user: martin