Hello,
On Thu, Apr 28, 2022 at 10:31:33PM +0200, Alexander Bluhm wrote:
</snip>
>
> Thanks. regress/sys/netinet6/frag6 found a small issue. If the
> icmp6 header is fragmented, we cannot pull the icmp6 header. I had
> to copy the fragment check to the beginning of case IPPROTO_ICMPV6.
>
> This chunk is new:
> + case IPPROTO_ICMPV6:
> + /* fragments may be short, ignore inner header then */
> + if (pd->fragoff != 0 && end < pd->off + sizeof(icmp6)) {
> + pd->off = pd->fragoff;
> + pd->proto = IPPROTO_FRAGMENT;
> + return (PF_PASS);
> + }
>
> Although it is questionable if we should allow fragmented header
> chains, I don't want to change behavior here. If I recall correctly
> newer RFCs forbid fragmented header chains. But I had implemented
> this code before the IPv6 standards have discovered the security
> implications.
>
> I am currently running a full regress.
>
new diff still reads OK to me.
thanks and
regards
sashan
