diff --git a/CHANGELOG b/CHANGELOG
index 83f0a13e42..c8b3fd3a24 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,7 +1,11 @@
 			CHANGELOG for KAME kit
-$KAME: CHANGELOG,v 1.2584 2004/04/06 10:43:32 jinmei Exp $
+$KAME: CHANGELOG,v 1.2585 2004/04/06 11:21:54 suz Exp $
 
 <200404>
+2004-04-06  SUZUKI, Shinsuke <suz@crl.hitachi.co.jp>
+	* kame/sys/netinet6/{ip6_output.c, ip6.h}
+	  FreeBSD Security Advisory: FreeBSD-SA-04:06.ipv6
+
 2004-04-04  SUZUKI, Shinsuke <suz@crl.hitachi.co.jp>
 	* kame/freebsd5: makes it compilable.
 
diff --git a/kame/sys/netinet6/in6.h b/kame/sys/netinet6/in6.h
index c07295dea8..1941f997d6 100644
--- a/kame/sys/netinet6/in6.h
+++ b/kame/sys/netinet6/in6.h
@@ -1,4 +1,4 @@
-/*	$KAME: in6.h,v 1.149 2004/02/25 16:08:39 keiichi Exp $	*/
+/*	$KAME: in6.h,v 1.150 2004/04/06 11:21:55 suz Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -682,10 +682,11 @@ struct ip6_mtuinfo {
 #define IPV6CTL_PMTU_EXPIRE	40	/* path MTU expiration timer */
 #define IPV6CTL_MAXFRAGS	41	/* max fragments */
 #define IPV6CTL_IFQ		42	/* ip6intrq node */
+#define	IPV6CTL_ISATAPRTR	43	/* ISATAP router list */
 
 /* New entries should be added here from current IPV6CTL_MAXID value. */
 /* to define items, should talk with KAME guys first, for *BSD compatibility */
-#define IPV6CTL_MAXID		43
+#define IPV6CTL_MAXID		44
 
 #ifdef IPV6CTL_RTEXPIRE
 #define __IPV6CTL_NAMES_RTEXPIRE	"rtexpire"
diff --git a/kame/sys/netinet6/ip6_output.c b/kame/sys/netinet6/ip6_output.c
index ad63a34f9e..fe4f78d3b1 100644
--- a/kame/sys/netinet6/ip6_output.c
+++ b/kame/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$KAME: ip6_output.c,v 1.444 2004/03/24 09:11:21 jinmei Exp $	*/
+/*	$KAME: ip6_output.c,v 1.445 2004/04/06 11:21:54 suz Exp $	*/
 
 /*
  * Copyright (c) 2002 INRIA. All rights reserved.
@@ -2376,8 +2376,34 @@ do { \
 				}
 
 #if defined(__FreeBSD__) && __FreeBSD__ >= 3
-				optbuf = sopt->sopt_val;
+				/* sanity check for the given sopt_valsize */
+				switch (optname) {
+				case IPV6_PKTINFO:
+					if (sopt->sopt_valsize != 
+					    sizeof(struct in6_pktinfo))
+						error = EINVAL;
+					break;
+				case IPV6_NEXTHOP:
+					if (sopt->sopt_valsize >
+					    SOCK_MAXADDRLEN)
+						error = EINVAL;
+					break;
+				default:
+					if (sopt->sopt_valsize > IPV6_MAXOPTHDR)
+						error = EINVAL;
+					break;
+				}
+				if (error)
+					break;
+
 				optlen = sopt->sopt_valsize;
+				optbuf = malloc(optlen, M_TEMP, M_WAITOK);
+				error = sooptcopyin(sopt, optbuf, optlen,
+				    optlen);
+				if (error) {
+					free(optbuf, M_TEMP);
+					break;
+				}
 #else  /* !fbsd3 */
 				if (m && m->m_next) {
 					error = EINVAL;	/* XXX */
@@ -2395,6 +2421,9 @@ do { \
 				error = ip6_pcbopt(optname,
 						   optbuf, optlen,
 						   optp, privileged, uproto);
+#if defined(__FreeBSD__) && __FreeBSD__ >= 3
+				free(optbuf, M_TEMP);
+#endif
 				break;
 			}
 #undef OPTSET