From nobody@FreeBSD.org  Mon Apr  7 14:30:18 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 81BF0934
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Apr 2014 14:30:18 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 6F494660
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Apr 2014 14:30:18 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s37EUICK055124
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 7 Apr 2014 14:30:18 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s37EUHUE054903;
	Mon, 7 Apr 2014 14:30:17 GMT
	(envelope-from nobody)
Message-Id: <201404071430.s37EUHUE054903@cgiserv.freebsd.org>
Date: Mon, 7 Apr 2014 14:30:17 GMT
From: Balaaji SP <sp.balaaji@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Application Crash on boundary value operation
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         188351
>Category:       bin
>Synopsis:       [patch] ping6(8): fix crash on boundary value operation
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 07 14:40:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Wed Apr 16 02:38:06 UTC 2014
>Originator:     Balaaji SP
>Release:        8.1
>Organization:
>Environment:
amd64
>Description:
Ping6 application crashes when executed with maximum packet data size option.
Maximum allowed data bytes length should be 130768 and not 131024. EXTRA bytes is not accounted
while calculating packet length.

This happens because memory gets over-written by 256 bytes beyond the outpack buffer in to memory arena.
>How-To-Repeat:
Execute Ping6 with -s option with a value of 131024. Verify if the application has crashed.
>Fix:

Account EXTRA bytes in packet length.

freebsd/sbin/ping6/ping6.c	

- #define MAXDATALEN      MAXPACKETLEN - IP6LEN - ICMP6ECHOLEN
+#define MAXDATALEN	MAXPACKETLEN - IP6LEN - ICMP6ECHOLEN - EXTRA

>Release-Note:
>Audit-Trail:
>Unformatted:
