goto out;
}
- memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
-
/*
* Store incoming device index. When the packet will
* be queued, we cannot refer to skb->dev anymore.
*/
IP6CB(skb)->iif = skb->dst ? ((struct rt6_info *)skb->dst)->rt6i_idev->dev->ifindex : dev->ifindex;
- if (unlikely(!pskb_may_pull(skb, sizeof(*hdr))))
+ if (skb->len < sizeof(struct ipv6hdr))
goto err;
+ if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) {
+ IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+ goto drop;
+ }
+
hdr = skb->nh.ipv6h;
if (hdr->version != 6)
}
if (hdr->nexthdr == NEXTHDR_HOP) {
- if (ipv6_parse_hopopts(skb) < 0) {
+ if (ipv6_parse_hopopts(skb, IP6CB(skb)->nhoff) < 0) {
IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
return 0;
}
+ hdr = skb->nh.ipv6h;
}
return NF_HOOK(PF_INET6,NF_IP6_PRE_ROUTING, skb, dev, NULL, ip6_rcv_finish);