openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-18 07:13:36 +02:00
Code Activity

frag6_input(): must always decrement counter when dropping fragment

Browse Source 
Currently frag6_input() does not decrement counter in one case:
- it is processing fragment with offset 0 which arrives after
the last fragment (fragment with max. offset)
- there are more IPv6 extension headers between IPv6 header
and IPv6 fragment header
- re-assembled packet exceeds IPV6_MAXPACKET size limit

if conditions above are met, then fragment gets dropped without
decrementing counters. This commit fixes that.

The issue was pointed out by Frank Denis.

OK bluhm@
This commit is contained in:
sashan
2026-05-15 09:42:46 +00:00
parent bcab7b1625
commit 450386e668
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sys/netinet6/frag6.c
+3 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: frag6.c,v 1.95 2025/07/24 22:57:24 mvs Exp $ */
/* $OpenBSD: frag6.c,v 1.96 2026/05/15 09:42:46 sashan Exp $ */
/* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */
/*
@@ -274,6 +274,8 @@ frag6_input(struct mbuf **mp, int *offp, int proto, int af,
/* dequeue the fragment. */
LIST_REMOVE(af6, ip6af_list);
pool_put(&ip6af_pool, af6);
frag6_nfrags--;
q6->ip6q_nfrag--;
/* adjust pointer. */
ip6err = mtod(merr, struct ip6_hdr *);