bug in 'ipfw: pullup failed' w/ ipv6-nonxt ?

[Pekka Savola]

Hi,

Recently on FreeBSD-6.2 STABLE I've noticed over 100x increase of 
'ipfw: pullup failed' messages.  This coincides with me starting to 
run a Teredo relay which includes receiving pretty much arbitrary IPv6 
packets from the network.

This appears to trigger a problem in sys/netinet/ip_fw2.c code with a 
packet like:

11:35:48.327605 IP6 (hlim 255, next-header: unknown (59), length: 0) 
2001:0:4136:xxxx:yyyy:zzzz:wwww:vvvv > fe80::fc31:b43b:679c:dcb9: no next header

now, the code in ip_fw2.c appears to be:

 			case IPPROTO_NONE:	/* RFC 2460 */
 				PULLUP_TO(hlen, ulp, struct ip6_ext);
 				/* Packet ends here. if ip6e_len!=0 octets
 				 * must be ignored. */
 				break;

.. but struct ip6_ext is at least 2 bytes long.  Am I reading the code 
correctly that it expects that even with IPPROTO_NONE, the IP header 
needs to include at least 2 bytes of content.  This would probably be 
a bug, and instead of printing "pullup failed" it shouldn't try to 
pull more than the base IPv6 header.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings