netinet6: Do not forward or send ICMPv6 messages to the unspec address

As in f7174eb2b4 ("netinet: Do not forward or ICMP response to
INADDR_ANY"), the IPv6 stack should avoid sending packets to the
unspecified address.  In particular:
- Make sure that we do not forward received packets to the unspecified
  address; the check in ip6_input() catches this in the common case, but
  after commit 40faf87894 it's possible for a pfil hook to bypass this
  check and pass the packet to ip6_forward() using the
  PACKET_TAG_IPFORWARD tag.
- Make sure that we do not reflect packets back to the unspecified
  address; RFC 4443 section 2.4 states that we must not generate error
  messages in response to packets from the unspecified address.

Reviewed by:	zlei, glebius
Reported by:	Franco Fichtner <franco@opnsense.org>
MFC after:	1 month
Sponsored by:	Klara, Inc.
Sponsored by:	OPNsense
Differential Revision:	https://reviews.freebsd.org/D49339

(cherry picked from commit b7a61e09e4)

sys/netinet6/icmp6.c

@@ -2089,6 +2089,12 @@ icmp6_reflect(struct mbuf *m, size_t off)
 	hlim = 0;
 	srcp = NULL;
 
+	if (__predict_false(IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src))) {
+		nd6log((LOG_DEBUG,
+		    "icmp6_reflect: source address is unspecified\n"));
+		goto bad;
+	}
+
 	/*
 	 * If the incoming packet was addressed directly to us (i.e. unicast),
 	 * use dst as the src for the reply.

sys/netinet6/ip6_forward.c

@@ -109,7 +109,8 @@ ip6_forward(struct mbuf *m, int srcrt)
 	 */
 	if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 ||
 	    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
-	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
+	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) ||
+	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
 		IP6STAT_INC(ip6s_cantforward);
 		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
 		if (V_ip6_log_cannot_forward && ip6_log_ratelimit()) {