1 files changed, 11 insertions, 2 deletions

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 419960b0ba16..a0b6932c3afd 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1234,7 +1234,7 @@ static inline int
 ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
-        const struct iphdr  *iph = ip_hdr(skb);
+        const struct iphdr  *iph;
         int encap_limit = -1;
         struct flowi6 fl6;
         __u8 dsfield;
@@ -1242,6 +1242,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         u8 tproto;
         int err;
 
+        /* ensure we can access the full inner ip header */
+        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+                return -1;
+
+        iph = ip_hdr(skb);
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
 
         tproto = READ_ONCE(t->parms.proto);
@@ -1306,7 +1311,7 @@ static inline int
 ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
-        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+        struct ipv6hdr *ipv6h;
         int encap_limit = -1;
         __u16 offset;
         struct flowi6 fl6;
@@ -1315,6 +1320,10 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         u8 tproto;
         int err;
 
+        if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
+                return -1;
+
+        ipv6h = ipv6_hdr(skb);
         tproto = READ_ONCE(t->parms.proto);
         if ((tproto != IPPROTO_IPV6 && tproto != 0) ||
             ip6_tnl_addr_conflict(t, ipv6h))