Intended out-of-bound access from struct field in IPFW

[RoundofThree]

• Type: Code written intentionally to access out of bounds causes CHERI bounds violation
• Trigger Conditions: IPFW enabled with any rule containing IPv6 masks. An example would be the default open setting
• Impact: Remote DoS with any IPv6 packet on CheriBSD
• Root cause:
  An IPFW rule with opcode O_IP6_SRC_MASK or O_IP6_DST_MASK can contain an array of one or more ipfw_insn_ip6. The C code obtains a pointer to the first ipfw_insn_ip6's second field addr6 and uses it to access the third field mask6. It then also increments the same pointer to access the fields of the next ipfw_insn_ip6 in the array.
  There should be no actual vulnerability in this code.

Tagging @YiChenChai.

[brooksdavis]

I think this is a subobject bounds issue. Either this cast needs to be altered not to set bounds or the code needs be altered to derive the pointer from cmd each time.

cheribsd/sys/netpfil/ipfw/ip_fw2.c

Lines 2626 to 2627 in fb0e4b1

	struct in6_addr *d =
	&((ipfw_insn_ip6 *)cmd)->addr6;

cc: @qwattash