1 files changed, 11 insertions, 2 deletions

diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c
index 5ecb11f1cb0..1b528b30b99 100644
--- a/sys/netinet6/frag6.c
+++ b/sys/netinet6/frag6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: frag6.c,v 1.87 2022/02/22 01:15:02 guenther Exp $	*/
+/*	$OpenBSD: frag6.c,v 1.88 2024/03/26 23:48:49 bluhm Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -404,8 +404,17 @@ frag6_input(struct mbuf **mp, int *offp, int proto, int af)
 	/* adjust offset to point where the original next header starts */
 	offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
 	pool_put(&ip6af_pool, ip6af);
+	next += offset - sizeof(struct ip6_hdr);
+	if ((u_int)next > IPV6_MAXPACKET) {
+		TAILQ_REMOVE(&frag6_queue, q6, ip6q_queue);
+		frag6_nfrags -= q6->ip6q_nfrag;
+		frag6_nfragpackets--;
+		mtx_leave(&frag6_mutex);
+		pool_put(&ip6q_pool, q6);
+		goto dropfrag;
+	}
 	ip6 = mtod(m, struct ip6_hdr *);
-	ip6->ip6_plen = htons((u_short)next + offset - sizeof(struct ip6_hdr));
+	ip6->ip6_plen = htons(next);
 	ip6->ip6_src = q6->ip6q_src;
 	ip6->ip6_dst = q6->ip6q_dst;
 	if (q6->ip6q_ecn == IPTOS_ECN_CE)