Fixup memory management for fetching options in ip_ctloutput()

Submitted by:	Jason Eggleston <jason@eggnet.com>
Sponsored by:	Limelight Networks
Differential Revision:	https://reviews.freebsd.org/D14621

sys/netinet/ip_output.c

@@ -1256,12 +1256,18 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 		switch (sopt->sopt_name) {
 		case IP_OPTIONS:
 		case IP_RETOPTS:
-			if (inp->inp_options)
+			if (inp->inp_options) {
+				unsigned long len = ulmin(inp->inp_options->m_len, sopt->sopt_valsize);
+				struct mbuf *options = malloc(len, M_TEMP, M_WAITOK);
+				INP_RLOCK(inp);
+				bcopy(inp->inp_options, options, len);
+				INP_RUNLOCK(inp);
 				error = sooptcopyout(sopt,
-						     mtod(inp->inp_options,
+						     mtod(options,
 							  char *),
-						     inp->inp_options->m_len);
-			else
+						     len);
+				free(options, M_TEMP);
+			} else
 				sopt->sopt_valsize = 0;
 			break;