From 450386e66817ef4462de89ef247165682d33c122 Mon Sep 17 00:00:00 2001 From: sashan Date: Fri, 15 May 2026 09:42:46 +0000 Subject: [PATCH] frag6_input(): must always decrement counter when dropping fragment Currently frag6_input() does not decrement counter in one case: - it is processing fragment with offset 0 which arrives after the last fragment (fragment with max. offset) - there are more IPv6 extension headers between IPv6 header and IPv6 fragment header - re-assembled packet exceeds IPV6_MAXPACKET size limit if conditions above are met, then fragment gets dropped without decrementing counters. This commit fixes that. The issue was pointed out by Frank Denis. OK bluhm@ --- sys/netinet6/frag6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index a6692a4b90d..3700b5c9d9c 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frag6.c,v 1.95 2025/07/24 22:57:24 mvs Exp $ */ +/* $OpenBSD: frag6.c,v 1.96 2026/05/15 09:42:46 sashan Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -274,6 +274,8 @@ frag6_input(struct mbuf **mp, int *offp, int proto, int af, /* dequeue the fragment. */ LIST_REMOVE(af6, ip6af_list); pool_put(&ip6af_pool, af6); + frag6_nfrags--; + q6->ip6q_nfrag--; /* adjust pointer. */ ip6err = mtod(merr, struct ip6_hdr *);