From e55e4cbdfb5e176f4cb77ae91138a44ecb73af8a Mon Sep 17 00:00:00 2001 From: Michael Tuexen Date: Fri, 16 Jan 2026 12:49:40 +0100 Subject: [PATCH] ipv6: account for jumbo payload option If a jumbo payload option is added, the length of the mbuf chain is increased by 8 but the actual hop-by-hop extension header with the jumbo playload option is only inserted in the packet if there are other options. Therefore, adjust optlen to reflect the actual size of IPv6 extension headers including the hop-by-hop extension header containing the jumbo payload option. Reported by: syzbot+73fe316271df473230eb@syzkaller.appspotmail.com Reviewed by: markj, Timo Voelker Differential Revision: https://reviews.freebsd.org/D54394 (cherry picked from commit 1f5b1de1fdf2924066c1851ed6c73f36fe20b438) --- sys/netinet6/ip6_output.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 3e48c0ed4c4..add0938d553 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -585,6 +585,7 @@ no_ipsec:; if ((error = ip6_insert_jumboopt(&exthdrs, plen)) != 0) goto freehdrs; ip6->ip6_plen = 0; + optlen += 8; /* JUMBOOPTLEN */ } else ip6->ip6_plen = htons(plen); nexthdrp = &ip6->ip6_nxt;