Index: udp6_usrreq.c
===================================================================
RCS file: /data/fbsd-cvs/ncvs/src/sys/netinet6/udp6_usrreq.c,v
retrieving revision 1.77
diff -u -r1.77 udp6_usrreq.c
--- udp6_usrreq.c	9 Jul 2007 17:47:04 -0000	1.77
+++ udp6_usrreq.c	10 Jul 2007 10:37:59 -0000
@@ -65,6 +65,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/errno.h>
@@ -92,7 +93,9 @@
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
 #include <netinet/ip6.h>
+#include <netinet/icmp_var.h>
 #include <netinet/icmp6.h>
 #include <netinet/ip_var.h>
 #include <netinet/udp.h>
@@ -108,6 +111,8 @@
 #include <netipsec/ipsec6.h>
 #endif /* IPSEC */
 
+#include <security/mac/mac_framework.h>
+
 /*
  * UDP protocol inplementation.
  * Per RFC 768, August, 1980.
@@ -133,7 +138,12 @@
 		return;
 	}
 #endif /* IPSEC */
-
+#ifdef MAC
+	if (mac_check_inpcb_deliver(in6p, n) != 0) {
+		m_freem(n);
+		return;
+	}
+#endif
 	opts = NULL;
 	if (in6p->in6p_flags & IN6P_CONTROLOPTS ||
 	    in6p->inp_socket->so_options & SO_TIMESTAMP)
@@ -184,6 +194,12 @@
 
 	udpstat.udps_ipackets++;
 
+	/*
+	 * Destination port of 0 is illegal, based on RFC768.
+	 */
+	if (uh->uh_dport == 0)
+		goto badunlocked;
+
 	plen = ntohs(ip6->ip6_plen) - off + sizeof(*ip6);
 	ulen = ntohs((u_short)uh->uh_ulen);
 
@@ -235,6 +251,15 @@
 				continue;
 			if (in6p->in6p_lport != uh->uh_dport)
 				continue;
+			/*
+			 * XXX: Do not check source port of incoming datagram
+			 * unless inp_connect() has been called to bind the
+			 * fport part of the 4-tuple; the source could be
+			 * trying to talk to us with an ephemeral port.
+			 */
+			if (in6p->inp_fport != 0 &&
+			    in6p->inp_fport != uh->uh_sport)
+				continue;
 			if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->in6p_laddr)) {
 				if (!IN6_ARE_ADDR_EQUAL(&in6p->in6p_laddr,
 							&ip6->ip6_dst))
@@ -310,6 +335,10 @@
 			goto badheadlocked;
 		}
 		INP_INFO_RUNLOCK(&udbinfo);
+		if (udp_blackhole)
+			goto badunlocked;
+		if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0)
+			goto badunlocked;
 		icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0);
 		return (IPPROTO_DONE);
 	}
@@ -318,6 +347,7 @@
 	INP_UNLOCK(in6p);
 	INP_INFO_RUNLOCK(&udbinfo);
 	return (IPPROTO_DONE);
+
 badheadlocked:
 	INP_INFO_RUNLOCK(&udbinfo);
 badunlocked:
@@ -735,7 +765,9 @@
 		}
 	}
 #endif
-
+#ifdef MAC
+	mac_create_mbuf_from_inpcb(inp, m);
+#endif
 	error = udp6_output(inp, m, addr, control, td);
 out:
 	INP_UNLOCK(inp);