const struct net_device *out,
const void *matchinfo,
int offset,
+ unsigned int protoff,
int *hotdrop)
{
- struct ip_esp_hdr esp;
+ struct ip_esp_hdr _esp, *eh;
const struct ipt_esp *espinfo = matchinfo;
/* Must not be a fragment. */
if (offset)
return 0;
- if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &esp, sizeof(esp)) < 0) {
+ eh = skb_header_pointer(skb, protoff,
+ sizeof(_esp), &_esp);
+ if (eh == NULL) {
/* We've been asked to examine this packet, and we
- can't. Hence, no choice but to drop. */
+ * can't. Hence, no choice but to drop.
+ */
duprintf("Dropping evil ESP tinygram.\n");
*hotdrop = 1;
return 0;
}
return spi_match(espinfo->spis[0], espinfo->spis[1],
- ntohl(esp.spi),
+ ntohl(eh->spi),
!!(espinfo->invflags & IPT_ESP_INV_SPI));
}
/* Called when user tries to insert an entry of this type. */
static int
checkentry(const char *tablename,
- const struct ipt_ip *ip,
+ const void *ip_void,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
{
const struct ipt_esp *espinfo = matchinfo;
+ const struct ipt_ip *ip = ip_void;
/* Must specify proto == ESP, and no unknown invflags */
if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {