When sending a packet on a socket(AF_INET, SOCKRAW, ...) socket having the IP_HDRINCL socket option enabled, the user can provide inconsistent data for the options in the IPv4 header. When the packets need to be fragmented, the function ip_optcopy assumes the the IP options have a valid layout. The valid layouts are described in RFC 791. This patch verifies that the user provides the IP options using a valid layout.
This issue was found by running syzkaller on OpenBSD. Greg Steuck made me aware that the problem might also exist on FreeBSD.