--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/squid/patches/CVE-2016-3947.patch	Wed Apr 13 10:14:18 2016 -0700
@@ -0,0 +1,36 @@
+Fix for CVE-2016-3947. See:
+
+  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3947
+
+for more details. Based on the squid 3.5.X patch at:
+
+  http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch
+
+--- squid-3.5.5/src/icmp/Icmp6.cc.orig	2016-04-12 11:19:40.947624766 -0700
++++ squid-3.5.5/src/icmp/Icmp6.cc	2016-04-12 11:20:00.180868789 -0700
+@@ -256,7 +256,7 @@
+     #define ip6_hops    // HOPS!!!  (can it be true??)
+ 
+         ip = (struct ip6_hdr *) pkt;
+-        pkt += sizeof(ip6_hdr);
++        NP: echo size needs to +sizeof(ip6_hdr);
+ 
+     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
+             ", ip6_plen=" << ip->ip6_plen <<
+@@ -267,7 +267,6 @@
+     */
+ 
+     icmp6header = (struct icmp6_hdr *) pkt;
+-    pkt += sizeof(icmp6_hdr);
+ 
+     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
+ 
+@@ -292,7 +291,7 @@
+         return;
+     }
+ 
+-    echo = (icmpEchoData *) pkt;
++    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+ 
+     preply.opcode = echo->opcode;
+