More IP option length validation.

Includes the following revisions from KAME (two of these were actually
committed previously but the CVS revisions weren't documented):

1.40      kame/kame/sys/netinet6/ah_core.c (committed in previous rev)
1.41      kame/kame/sys/netinet6/ah_core.c
1.28      kame/kame/sys/netinet6/ah_output.c (committed in previous rev)
1.29      kame/kame/sys/netinet6/ah_output.c
1.30      kame/kame/sys/netinet6/ah_output.c
1.129     kame/kame/sys/netinet6/nd6.c
1.130     kame/kame/sys/netinet6/nd6.c
1.24      kame/kame/sys/netinet6/dest6.c
1.25      kame/kame/sys/netinet6/dest6.c

Obtained from:	KAME

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/netinet6/ah_output.c b/sys/netinet6/ah_output.c
index df9f4d5..59263cd 100644
--- a/sys/netinet6/ah_output.c
+++ b/sys/netinet6/ah_output.c
@@ -539,8 +539,8 @@ ah4_finaldst(m)
 			break;
 		case IPOPT_LSRR:
 		case IPOPT_SSRR:
-			if (q[i + IPOPT_OLEN] <= 0
-			 || optlen - i < q[i + IPOPT_OLEN]) {
+			if (q[i + IPOPT_OLEN] < 2 + sizeof(struct in_addr) ||
+			    optlen - i < q[i + IPOPT_OLEN]) {
 				ipseclog((LOG_ERR,
 				    "ip_finaldst: invalid IP option "
 				    "(code=%02x len=%02x)\n",
@@ -550,8 +550,8 @@ ah4_finaldst(m)
 			i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
 			return (struct in_addr *)(q + i);
 		default:
-			if (q[i + IPOPT_OLEN] <= 0
-			 || optlen - i < q[i + IPOPT_OLEN]) {
+			if (q[i + IPOPT_OLEN] < 2 ||
+			    optlen - i < q[i + IPOPT_OLEN]) {
 				ipseclog((LOG_ERR,
 				    "ip_finaldst: invalid IP option "
 				    "(code=%02x len=%02x)\n",