From 6f700a157d1049a06ab9c467057d71e98e7798de Mon Sep 17 00:00:00 2001
From: Erik Ekman <erik@kryo.se>
Date: Thu, 28 Sep 2023 22:33:41 +0200
Subject: [PATCH] nd6: Fix RA link-local address option length check

Length field is in units of 8 bytes.
---
 src/core/ipv6/nd6.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/core/ipv6/nd6.c b/src/core/ipv6/nd6.c
index c566c572..55b5774f 100644
--- a/src/core/ipv6/nd6.c
+++ b/src/core/ipv6/nd6.c
@@ -687,12 +687,11 @@ nd6_input(struct pbuf *p, struct netif *inp)
       case ND6_OPTION_TYPE_SOURCE_LLADDR:
       {
         struct lladdr_option *lladdr_opt;
-        if (option_len < ND6_LLADDR_OPTION_MIN_LENGTH) {
+        if (option_len < (ND6_LLADDR_OPTION_MIN_LENGTH + inp->hwaddr_len)) {
           goto lenerr_drop_free_return;
         }
         lladdr_opt = (struct lladdr_option *)buffer;
-        if ((lladdr_opt->length == inp->hwaddr_len) &&
-            (default_router_list[i].neighbor_entry != NULL) &&
+        if ((default_router_list[i].neighbor_entry != NULL) &&
             (default_router_list[i].neighbor_entry->state == ND6_INCOMPLETE)) {
           SMEMCPY(default_router_list[i].neighbor_entry->lladdr, lladdr_opt->addr, inp->hwaddr_len);
           default_router_list[i].neighbor_entry->state = ND6_REACHABLE;