- In vlan_input(), always mask off all but the VLID bits from tags

extracted from received frames, both in the IFCAP_VLAN_HWTAGGING case
  and not. (Some drivers may already do this masking internally, but
  doing it here doesn't hurt and insures consistency.)

- In vlan_ioctl(), don't let the user set a VLAN ID value with anything
  besides the VLID bits set, otherwise we will have trouble matching
  an interface in vlan_input() later.

PR:		kern/46405

sys/net/if_vlan.c

@@ -394,7 +394,7 @@ vlan_input(struct ifnet *ifp, struct mbuf *m)
 		 * Packet is tagged, m contains a normal
 		 * Ethernet frame; the tag is stored out-of-band.
 		 */
-		tag = *(u_int*)(mtag+1);
+		tag = EVL_VLANOFTAG(*(u_int*)(mtag+1));
 		m_tag_delete(m, mtag);
 	} else {
 		switch (ifp->if_type) {
@@ -409,7 +409,7 @@ vlan_input(struct ifnet *ifp, struct mbuf *m)
 				("vlan_input: bad encapsulated protocols (%u)",
 				 ntohs(evl->evl_encap_proto)));
 
-			tag = ntohs(evl->evl_tag);
+			tag = EVL_VLANOFTAG(ntohs(evl->evl_tag));
 
 			/*
 			 * Restore the original ethertype.  We'll remove
@@ -737,6 +737,14 @@ vlan_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 			error = ENOENT;
 			break;
 		}
+		/*
+		 * Don't let the caller set up a VLAN tag with
+		 * anything except VLID bits.
+		 */
+		if (vlr.vlr_tag & ~EVL_VLID_MASK) {
+			error = EINVAL;
+			break;
+		}
 		error = vlan_config(ifv, p);
 		if (error)
 			break;

sys/net/if_vlan_var.h

@@ -40,7 +40,8 @@ struct	ether_vlan_header {
 	u_int16_t evl_proto;
 };
 
-#define	EVL_VLANOFTAG(tag) ((tag) & 4095)
+#define EVL_VLID_MASK	0x0FFF
+#define	EVL_VLANOFTAG(tag) ((tag) & EVL_VLID_MASK)
 #define	EVL_PRIOFTAG(tag) (((tag) >> 13) & 7)
 
 /* sysctl(3) tags, for compatibility purposes */