From ffe7a1e82279b18e114cb2bb6b6a705d762f4594 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sun, 11 Dec 2016 14:03:10 +0100
Subject: device: ensure icmp skb length check is done for v6

---
 src/device.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'src/device.c')

diff --git a/src/device.c b/src/device.c
index e48cb68..68e74b9 100644
--- a/src/device.c
+++ b/src/device.c
@@ -98,23 +98,19 @@ static void skb_unsendable(struct sk_buff *skb, struct net_device *dev)
 #endif
 	++dev->stats.tx_errors;
 
-	if (skb->len < sizeof(struct iphdr))
-		goto free;
-
-	if (ip_hdr(skb)->version == 4) {
+	if (skb->len >= sizeof(struct iphdr) && ip_hdr(skb)->version == 4) {
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
 		if (ct)
 			ip_hdr(skb)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
 #endif
 		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
-	} else if (ip_hdr(skb)->version == 6) {
+	} else if (skb->len >= sizeof(struct ipv6hdr) && ip_hdr(skb)->version == 6) {
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
 		if (ct)
 			ipv6_hdr(skb)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
 #endif
 		icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
 	}
-free:
 	kfree_skb(skb);
 }
 
-- 
cgit v1.2.3-59-g8ed1b