From owner-freebsd-net@FreeBSD.ORG  Wed Oct  1 16:59:05 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2904F602
 for <freebsd-net@freebsd.org>; Wed,  1 Oct 2014 16:59:05 +0000 (UTC)
Received: from mail-n.franken.de (drew.ipv6.franken.de
 [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "mail-n.franken.de", Issuer "Thawte DV SSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E221B5EE
 for <freebsd-net@freebsd.org>; Wed,  1 Oct 2014 16:59:04 +0000 (UTC)
Received: from [192.168.1.102] (p508F3C1B.dip0.t-ipconnect.de [80.143.60.27])
 (Authenticated sender: macmic)
 by mail-n.franken.de (Postfix) with ESMTP id C1C161C0E978B
 for <freebsd-net@freebsd.org>; Wed,  1 Oct 2014 18:59:00 +0200 (CEST)
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: UDP/IPv6 handling
Message-Id: <B30E0A41-51B0-442C-9476-0D9E99C0D37C@lurchi.franken.de>
Date: Wed, 1 Oct 2014 18:58:58 +0200
To: FreeBSD Net <freebsd-net@freebsd.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 16:59:05 -0000

Dear all,

in udp6_input() we have the following code:

	if (nxt =3D=3D IPPROTO_UDP && plen !=3D ulen) {
		UDPSTAT_INC(udps_badlen);
		goto badunlocked;
	}=20
	/*
	 * Checksum extended UDP header and data.
	 */
	if (uh->uh_sum =3D=3D 0) {
		if (ulen > plen || ulen < sizeof(struct udphdr)) {
			UDPSTAT_INC(udps_nosum);
			goto badunlocked;
		}
	}

I'm trying to understand the UDP code path...

So (ulen > plen) can't be true. I'm wondering why do we only check the =
ulen is not too
short only in the case when the UDP checksum is zero. A zero checksum =
should also never happen.

I think we should check for ulen < sizeof(struct udphdr) in any case.

Opinions?

Best regards
Michael=