From: Jiri Pirko <jpirko@redhat.com> Date: Mon, 27 Apr 2009 17:43:20 +0200 Subject: [net] ipv6: fix incoming packet length check Message-id: 20090427154320.GA10275@psychotron.englab.brq.redhat.com O-Subject: [RHEL5.4 patch] BZ492972 net: ipv6: tunnel6: Fix incoming packet length check for inter-protocol tunnel. Bugzilla: 492972 RH-Acked-by: Rik van Riel <riel@redhat.com> RH-Acked-by: David Miller <davem@redhat.com> RH-Acked-by: Anton Arapov <aarapov@redhat.com> BZ492972 https://bugzilla.redhat.com/show_bug.cgi?id=492972 Description: When IPv6 tunnel payload is less than 40(0x28), packet can be sent to network, received in physical interface, but not seen in IP tunnel interface. No counter increase in tunnel interface. Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=82836372311a5cbf9cc5f4f47f9b56cb9edfe90d Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=1751985 Test: Booted on x86_64. Jirka Signed-off-by: Jiri Pirko <jpirko@redhat.com> diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c index 0ef9a35..0eb4574 100644 --- a/net/ipv6/tunnel6.c +++ b/net/ipv6/tunnel6.c @@ -89,7 +89,7 @@ static int tunnel6_rcv(struct sk_buff **pskb) struct sk_buff *skb = *pskb; struct xfrm6_tunnel *handler; - if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) + if (!pskb_may_pull(skb, sizeof(struct iphdr))) goto drop; for (handler = tunnel6_handlers; handler; handler = handler->next)