ipv6: don't crash with corrupted control messages

Change-Id: I39f79ec43c73b2fcc90316713181940ada523150
Reviewed-on: https://go-review.googlesource.com/45114
Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

ipv6/control.go

@@ -129,14 +129,14 @@ func (cm *ControlMessage) Parse(b []byte) error {
 		if lvl != iana.ProtocolIPv6 {
 			continue
 		}
-		switch typ {
-		case ctlOpts[ctlTrafficClass].name:
+		switch {
+		case typ == ctlOpts[ctlTrafficClass].name && l >= ctlOpts[ctlTrafficClass].length:
 			ctlOpts[ctlTrafficClass].parse(cm, m.Data(l))
-		case ctlOpts[ctlHopLimit].name:
+		case typ == ctlOpts[ctlHopLimit].name && l >= ctlOpts[ctlHopLimit].length:
 			ctlOpts[ctlHopLimit].parse(cm, m.Data(l))
-		case ctlOpts[ctlPacketInfo].name:
+		case typ == ctlOpts[ctlPacketInfo].name && l >= ctlOpts[ctlPacketInfo].length:
 			ctlOpts[ctlPacketInfo].parse(cm, m.Data(l))
-		case ctlOpts[ctlPathMTU].name:
+		case typ == ctlOpts[ctlPathMTU].name && l >= ctlOpts[ctlPathMTU].length:
 			ctlOpts[ctlPathMTU].parse(cm, m.Data(l))
 		}
 	}

ipv6/control_test.go

@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipv6_test
+
+import (
+	"testing"
+
+	"golang.org/x/net/ipv6"
+)
+
+func TestControlMessageParseWithFuzz(t *testing.T) {
+	var cm ipv6.ControlMessage
+	for _, fuzz := range []string{
+		"\f\x00\x00\x00)\x00\x00\x00.\x00\x00\x00",
+		"\f\x00\x00\x00)\x00\x00\x00,\x00\x00\x00",
+	} {
+		cm.Parse([]byte(fuzz))
+	}
+}