------------------------------------------------------------
revno: 13232
revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm
author: Yuriy M. Kaminskiy <yumkam@gmail.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Thu 2016-03-31 03:14:10 +1300
message:
  pinger: Fix buffer overflow in Icmp6::Recv
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3
# timestamp: 2016-03-30 14:51:02 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20160220150859-\
#   3unryicod1rcx9rm
# 
# Begin patch
=== modified file 'src/icmp/Icmp6.cc'
--- src/icmp/Icmp6.cc	2014-09-15 05:06:14 +0000
+++ src/icmp/Icmp6.cc	2016-03-30 14:14:10 +0000
@@ -277,7 +277,7 @@
     #define ip6_hops	// HOPS!!!  (can it be true??)
 
         ip = (struct ip6_hdr *) pkt;
-        pkt += sizeof(ip6_hdr);
+        NP: echo size needs to +sizeof(ip6_hdr);
 
     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
     		", ip6_plen=" << ip->ip6_plen <<
@@ -288,7 +288,6 @@
     */
 
     icmp6header = (struct icmp6_hdr *) pkt;
-    pkt += sizeof(icmp6_hdr);
 
     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
 
@@ -313,7 +312,7 @@
         return;
     }
 
-    echo = (icmpEchoData *) pkt;
+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
 
     preply.opcode = echo->opcode;