More IP option length validation.

Includes the following revisions from KAME (two of these were actually
committed previously but the CVS revisions weren't documented):

1.40      kame/kame/sys/netinet6/ah_core.c (committed in previous rev)
1.41      kame/kame/sys/netinet6/ah_core.c
1.28      kame/kame/sys/netinet6/ah_output.c (committed in previous rev)
1.29      kame/kame/sys/netinet6/ah_output.c
1.30      kame/kame/sys/netinet6/ah_output.c
1.129     kame/kame/sys/netinet6/nd6.c
1.130     kame/kame/sys/netinet6/nd6.c
1.24      kame/kame/sys/netinet6/dest6.c
1.25      kame/kame/sys/netinet6/dest6.c

Obtained from:	KAME

1 files changed, 13 insertions, 15 deletions

diff --git a/sys/netinet6/dest6.c b/sys/netinet6/dest6.c
index 268d8c9b185c..8d3987cb5476 100644
--- a/sys/netinet6/dest6.c
+++ b/sys/netinet6/dest6.c
@@ -89,22 +89,20 @@ dest6_input(mp, offp, proto)
 
 	/* search header for all options. */
 	for (optlen = 0; dstoptlen > 0; dstoptlen -= optlen, opt += optlen) {
-		switch(*opt) {
-		 case IP6OPT_PAD1:
-			 optlen = 1;
-			 break;
-		 case IP6OPT_PADN:
-			 if (dstoptlen < IP6OPT_MINLEN) {
-				 ip6stat.ip6s_toosmall++;
-				 goto bad;
-			 }
-			 optlen = *(opt + 1) + 2;
-			 break;
+		if (*opt != IP6OPT_PAD1 &&
+		    (dstoptlen < IP6OPT_MINLEN || *(opt + 1) + 2 > dstoptlen)) {
+			ip6stat.ip6s_toosmall++;
+			goto bad;
+		}
+
+		switch (*opt) {
+		case IP6OPT_PAD1:
+			optlen = 1;
+			break;
+		case IP6OPT_PADN:
+			optlen = *(opt + 1) + 2;
+			break;
 		 default:		/* unknown option */
-			 if (dstoptlen < IP6OPT_MINLEN) {
-				 ip6stat.ip6s_toosmall++;
-				 goto bad;
-			 }
 			 if ((optlen = ip6_unknown_opt(opt, m,
 						       opt-mtod(m, u_int8_t *))) == -1)
 				 return(IPPROTO_DONE);