ipv6: fix tunnel error handling

Both tunnel6_protocol and tunnel46_protocol share the same error
handler, tunnel6_err(), which traverses through tunnel6_handlers list.
For ipip6 tunnels, we need to traverse tunnel46_handlers as we do e.g.
in tunnel46_rcv(). Current code can generate an ICMPv6 error message
with an IPv4 packet embedded in it.

Fixes: 73d605d1abbd ("[IPSEC]: changing API of xfrm6_tunnel_register")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 11 insertions, 1 deletions

diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c
index 3c758007b327..dae25cad05cd 100644
--- a/net/ipv6/tunnel6.c
+++ b/net/ipv6/tunnel6.c
@@ -144,6 +144,16 @@ static void tunnel6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                         break;
 }
 
+static void tunnel46_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+                         u8 type, u8 code, int offset, __be32 info)
+{
+        struct xfrm6_tunnel *handler;
+
+        for_each_tunnel_rcu(tunnel46_handlers, handler)
+                if (!handler->err_handler(skb, opt, type, code, offset, info))
+                        break;
+}
+
 static const struct inet6_protocol tunnel6_protocol = {
         .handler        = tunnel6_rcv,
         .err_handler    = tunnel6_err,
@@ -152,7 +162,7 @@ static const struct inet6_protocol tunnel6_protocol = {
 
 static const struct inet6_protocol tunnel46_protocol = {
         .handler        = tunnel46_rcv,
-        .err_handler    = tunnel6_err,
+        .err_handler    = tunnel46_err,
         .flags          = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
 };