Subject: IPv6 MTU handling problem

An IPv6 MTU handling problem has been reported by Georgi Guninski[1],
which could be used by an attacker to cause a denial of service attack
against hosts reachable through IPv6.

When the MTU (maximum transfer unit) for an IPv6 route is set very low,
the TCP stack will enter an endless recursion when the next TCP packet
is sent. This can be exploited remotely by sending ICMP6 'packet too
big' messages containing such low MTU values. The kernel will
effectively lock up, causing denial of service. It is not believed that
this problem can be used to execute arbitrary code.

IPv6 is enabled by default, but the problem can only be exploited
remotely against hosts which are reachable through IPv6. Hosts with
IPv4 connectivity only are not affected.

The problem is fixed in -current, patches for 3.4-stable and 3.3-stable
are available at

  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/011_ip6.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/016_ip6.patch

[1] http://www.guninski.com/obsdmtu.html