Merge from stable/11 r320593:

  Fix IPv6 extension header parsing. The length field doesn't include
  the first 8 octets.

  Obtained from:	Yandex LLC
Approved by:	re (marius)

(cherry picked from commit 1b1001711cd25830b9dcd1ab518fa6bf0b7a3f11)

3 files changed, 3 insertions, 3 deletions

diff --git a/sys/netpfil/ipfw/nat64/nat64_translate.c b/sys/netpfil/ipfw/nat64/nat64_translate.c
index aefd0f9..25b4e14 100644
--- a/sys/netpfil/ipfw/nat64/nat64_translate.c
+++ b/sys/netpfil/ipfw/nat64/nat64_translate.c
@@ -1054,7 +1054,7 @@ nat64_getlasthdr(struct mbuf *m, int *offset)
 		if (proto == IPPROTO_HOPOPTS && ip6->ip6_plen == 0)
 			return (-1);
 		proto = hbh->ip6h_nxt;
-		hlen += hbh->ip6h_len << 3;
+		hlen += (hbh->ip6h_len + 1) << 3;
 	}
 	if (offset != NULL)
 		*offset = hlen;
diff --git a/sys/netpfil/ipfw/nptv6/nptv6.c b/sys/netpfil/ipfw/nptv6/nptv6.c
index da86975..c720a33 100644
--- a/sys/netpfil/ipfw/nptv6/nptv6.c
+++ b/sys/netpfil/ipfw/nptv6/nptv6.c
@@ -125,7 +125,7 @@ nptv6_getlasthdr(struct nptv6_cfg *cfg, struct mbuf *m, int *offset)
 		if (m->m_len < hlen)
 			return (-1);
 		proto = hbh->ip6h_nxt;
-		hlen += hbh->ip6h_len << 3;
+		hlen += (hbh->ip6h_len + 1) << 3;
 	}
 	if (offset != NULL)
 		*offset = hlen;
diff --git a/sys/netpfil/ipfw/pmod/tcpmod.c b/sys/netpfil/ipfw/pmod/tcpmod.c
index fc2bfb5..10b6d2d 100644
--- a/sys/netpfil/ipfw/pmod/tcpmod.c
+++ b/sys/netpfil/ipfw/pmod/tcpmod.c
@@ -137,7 +137,7 @@ tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss)
 	    proto == IPPROTO_DSTOPTS) {
 		hbh = mtodo(*mp, hlen);
 		proto = hbh->ip6h_nxt;
-		hlen += hbh->ip6h_len << 3;
+		hlen += (hbh->ip6h_len + 1) << 3;
 	}
 	tcp = mtodo(*mp, hlen);
 	plen = (*mp)->m_pkthdr.len - hlen;