DF-0469
ip6_get_prevhdr dereferences ip6e without validating len against m_len: fragile implicit contract
Summary
ip6_get_prevhdr(m,off)(:1418-1452): while(len<off)(:1431) derefs ip6e=(struct ip6_ext*)(mtod+len)(:1432) reads ip6e_len/ip6e_nxt WITHOUT check that len+sizeof(ip6_ext)<=m->m_len. Docstring(:1409-1417) admits supposes M includes all headers and fields valid — trusts attacker-controlled metadata. Safety depends entirely on every caller pre-validating with IP6_EXTHDR_CHECK/m_pullup. Potential OOB read IF caller skips validation. No currently confirmed exploitable caller. Defense-in-depth gap.