--- src/sys/netinet6/ip6_input.c	2006/12/22 23:57:53	1.32
+++ src/sys/netinet6/ip6_input.c	2007/05/07 13:00:16	1.33
@@ -245,7 +245,7 @@ ip6_input(struct netmsg *msg)
 	int off = sizeof(struct ip6_hdr), nest;
 	u_int32_t plen;
 	u_int32_t rtalert = ~0;
-	int nxt, ours = 0;
+	int nxt, ours = 0, rh_present = 0;
 	struct ifnet *deliverifp = NULL;
 	struct in6_addr odst;
 	int srcrt = 0;
@@ -777,9 +777,11 @@ hbhcheck:
 	in6_ifstat_inc(deliverifp, ifs6_in_deliver);
 	nest = 0;
 
+	rh_present = 0;
 	while (nxt != IPPROTO_DONE) {
 		if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
 			ip6stat.ip6s_toomanyhdr++;
+			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
 			goto bad;
 		}
 
@@ -809,6 +811,15 @@ hbhcheck:
 		}
 #endif
 
+		if (nxt == IPPROTO_ROUTING) {
+			if (rh_present++) {
+				in6_ifstat_inc(m->m_pkthdr.rcvif,
+				    ifs6_in_hdrerr);
+				ip6stat.ip6s_badoptions++;
+				goto bad;
+			}
+		}
+
 #ifdef IPSEC
 		/*
 		 * enforce IPsec policy checking if we are seeing last header.