From: Herbert Xu <herbert.xu@redhat.com>
Date: Sat, 2 Feb 2008 18:06:14 +1100
Subject: [net] icmp: restore pskb_pull calls in receive func
Message-id: 20080202070614.GA1456@gondor.apana.org.au
O-Subject: [RHEL5.2 PATCH] [ICMP]: Restore pskb_pull calls in receive function
Bugzilla: 431293

Hi:

RHEL5.2 BZ 431293

The ICMP relookup patch (BZ 427876) which has been merged contains a
serious bug where it incorrectly removed the ICMP header length check
in the non-IPsec case.  The following patch is needed to correct this.

[ICMP]: Restore pskb_pull calls in receive function

Somewhere along the development of my ICMP relookup patch the header
length check went AWOL on the non-IPsec path.  This patch restores the
check.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Please ack.

Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 275ebd8..f8d0789 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -999,7 +999,8 @@ int icmp_rcv(struct sk_buff *skb)
 			goto error;
 	}
 
-	__skb_pull(skb, sizeof(*icmph));
+	if (!pskb_pull(skb, sizeof(*icmph)))
+		goto error;
 
 	icmph = skb->h.icmph;
 
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 4d5bc4c..a3d2aa9 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -670,7 +670,8 @@ static int icmpv6_rcv(struct sk_buff **pskb)
 		}
 	}
 
-	__skb_pull(skb, sizeof(*hdr));
+	if (!pskb_pull(skb, sizeof(*hdr)))
+		goto discard_it;
 
 	hdr = (struct icmp6hdr *) skb->h.raw;