(Possibly critical) bug in our IPv6 fragment handling?

[Nino Dehne <ndehne%gmail.com@localhost>]

Hi tech-net,

I just stumbled across a blog post (in German):

        http://blog.fefe.de/?ts=b3c75fd8

<loose translation>
If you thought the times of IP-level exploits are over, you're wrong:
http://marc.info/?l=openbsd-cvs&amp;m=129496184702233 [...]
</loose translation>

The OpenBSD people applied the following patch:

--- src/sys/netinet6/frag6.c    2010/05/07 14:33:17     1.30
+++ src/sys/netinet6/frag6.c    2011/01/13 23:36:53     1.31
@@ -1,4 +1,4 @@
-/*     $OpenBSD: frag6.c,v 1.30 2010/05/07 13:33:17 claudio Exp $      */
+/*     $OpenBSD: frag6.c,v 1.31 2011/01/13 23:36:53 bluhm Exp $        */
 /*     $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $  */
 
 /*
@@ -545,12 +545,11 @@ insert:
        *q6->ip6q_nxtp = (u_char)(nxt & 0xff);
 #endif
 
-       /*
-        * Delete frag6 header with as a few cost as possible.
-        */
-       if (offset < m->m_len) {
+       /* Delete frag6 header */
+       if (m->m_len >= offset + sizeof(struct ip6_frag)) {
+               /* This is the only possible case with !PULLDOWN_TEST */
                ovbcopy((caddr_t)ip6, (caddr_t)ip6 + sizeof(struct ip6_frag),
-                       offset);
+                   offset);
                m->m_data += sizeof(struct ip6_frag);
                m->m_len -= sizeof(struct ip6_frag);
        } else {

As we have roughly the same code in src/sys/netinet6/frag6.c and I cannot say
anything about the assessment in that blog post, I thought I'd ask whether
this is something to look at.

Regards,