In handle_arp_snat() and snat_pre_route() pull enough payload into the headers.

There is no guarantee that the device put any data at all into the header.
The e1000 device, for example, appears to not put any data into the header
when the packet is longer than its configured copybreak value, which is
256 bytes by default.  So we need to do it ourselves.

diff --git a/datapath/nx_act_snat.c b/datapath/nx_act_snat.c
index 6334285..8bf2ed7 100644 (file)
--- a/datapath/nx_act_snat.c
+++ b/datapath/nx_act_snat.c
@@ -205,6 +205,9 @@ handle_arp_snat(struct sk_buff *skb)
        struct net_bridge_port *p = skb->dev->br_port;
        struct ip_arphdr *ah = (struct ip_arphdr *)arp_hdr(skb);
 
+       if (!pskb_may_pull(skb, sizeof *ah))
+               return 0;
+
        if ((ah->ar_op != htons(ARPOP_REQUEST)) 
                        || ah->ar_hln != ETH_ALEN
                        || ah->ar_pro != htons(ETH_P_IP)
@@ -305,6 +308,9 @@ snat_pre_route(struct sk_buff *skb)
        else if (skb->protocol != htons(ETH_P_IP)) 
                return 0;
 
+       if (!pskb_may_pull(skb, sizeof *iph))
+               goto ipv4_error;
+
        iph = ip_hdr(skb);
        if (iph->ihl < 5 || iph->version != 4)
                goto ipv4_error;