From 0f40d5af5752dc1448c44ba49806f6f770d56c27 Mon Sep 17 00:00:00 2001
From: ae <ae@FreeBSD.org>
Date: Thu, 29 Jun 2017 19:06:43 +0000
Subject: [PATCH] Fix IPv6 extension header parsing. The length field doesn't
 include the first 8 octets.

Obtained from:	Yandex LLC
MFC after:	3 days
---
 sys/netpfil/ipfw/nat64/nat64_translate.c | 2 +-
 sys/netpfil/ipfw/nptv6/nptv6.c           | 2 +-
 sys/netpfil/ipfw/pmod/tcpmod.c           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/ipfw/nat64/nat64_translate.c b/sys/netpfil/ipfw/nat64/nat64_translate.c
index aefd0f96396b..25b4e14cc01a 100644
--- a/sys/netpfil/ipfw/nat64/nat64_translate.c
+++ b/sys/netpfil/ipfw/nat64/nat64_translate.c
@@ -1054,7 +1054,7 @@ nat64_getlasthdr(struct mbuf *m, int *offset)
 		if (proto == IPPROTO_HOPOPTS && ip6->ip6_plen == 0)
 			return (-1);
 		proto = hbh->ip6h_nxt;
-		hlen += hbh->ip6h_len << 3;
+		hlen += (hbh->ip6h_len + 1) << 3;
 	}
 	if (offset != NULL)
 		*offset = hlen;
diff --git a/sys/netpfil/ipfw/nptv6/nptv6.c b/sys/netpfil/ipfw/nptv6/nptv6.c
index da8697530061..c720a336675f 100644
--- a/sys/netpfil/ipfw/nptv6/nptv6.c
+++ b/sys/netpfil/ipfw/nptv6/nptv6.c
@@ -125,7 +125,7 @@ nptv6_getlasthdr(struct nptv6_cfg *cfg, struct mbuf *m, int *offset)
 		if (m->m_len < hlen)
 			return (-1);
 		proto = hbh->ip6h_nxt;
-		hlen += hbh->ip6h_len << 3;
+		hlen += (hbh->ip6h_len + 1) << 3;
 	}
 	if (offset != NULL)
 		*offset = hlen;
diff --git a/sys/netpfil/ipfw/pmod/tcpmod.c b/sys/netpfil/ipfw/pmod/tcpmod.c
index fc2bfb504a6a..10b6d2d6a3a3 100644
--- a/sys/netpfil/ipfw/pmod/tcpmod.c
+++ b/sys/netpfil/ipfw/pmod/tcpmod.c
@@ -137,7 +137,7 @@ tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss)
 	    proto == IPPROTO_DSTOPTS) {
 		hbh = mtodo(*mp, hlen);
 		proto = hbh->ip6h_nxt;
-		hlen += hbh->ip6h_len << 3;
+		hlen += (hbh->ip6h_len + 1) << 3;
 	}
 	tcp = mtodo(*mp, hlen);
 	plen = (*mp)->m_pkthdr.len - hlen;