3 files changed, 8 insertions, 7 deletions

diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b4450f1ccc1..6298d404e7c 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -37,28 +37,28 @@ target(struct sk_buff **pskb,
         /* We assume that pln and hln were checked in the match */
         if (mangle->flags & ARPT_MANGLE_SDEV) {
                 if (ARPT_DEV_ADDR_LEN_MAX < hln ||
-                   (arpptr + hln > (**pskb).tail))
+                   (arpptr + hln > skb_tail_pointer(*pskb)))
                         return NF_DROP;
                 memcpy(arpptr, mangle->src_devaddr, hln);
         }
         arpptr += hln;
         if (mangle->flags & ARPT_MANGLE_SIP) {
                 if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
-                   (arpptr + pln > (**pskb).tail))
+                   (arpptr + pln > skb_tail_pointer(*pskb)))
                         return NF_DROP;
                 memcpy(arpptr, &mangle->u_s.src_ip, pln);
         }
         arpptr += pln;
         if (mangle->flags & ARPT_MANGLE_TDEV) {
                 if (ARPT_DEV_ADDR_LEN_MAX < hln ||
-                   (arpptr + hln > (**pskb).tail))
+                   (arpptr + hln > skb_tail_pointer(*pskb)))
                         return NF_DROP;
                 memcpy(arpptr, mangle->tgt_devaddr, hln);
         }
         arpptr += hln;
         if (mangle->flags & ARPT_MANGLE_TIP) {
                 if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
-                   (arpptr + pln > (**pskb).tail))
+                   (arpptr + pln > skb_tail_pointer(*pskb)))
                         return NF_DROP;
                 memcpy(arpptr, &mangle->u_t.tgt_ip, pln);
         }
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 5842f1aa973..15e0d200223 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -191,7 +191,7 @@ ipq_flush(int verdict)
 static struct sk_buff *
 ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp)
 {
-        unsigned char *old_tail;
+        sk_buff_data_t old_tail;
         size_t size = 0;
         size_t data_len = 0;
         struct sk_buff *skb;
@@ -235,7 +235,7 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp)
         if (!skb)
                 goto nlmsg_failure;
 
-        old_tail= skb->tail;
+        old_tail = skb->tail;
         nlh = NLMSG_PUT(skb, 0, 0, IPQM_PACKET, size - sizeof(*nlh));
         pmsg = NLMSG_DATA(nlh);
         memset(pmsg, 0, sizeof(*pmsg));
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index c2c92ff1278..8a40fbe842b 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -92,7 +92,8 @@ static void mangle_contents(struct sk_buff *skb,
         /* move post-replacement */
         memmove(data + match_offset + rep_len,
                 data + match_offset + match_len,
-                skb->tail - (data + match_offset + match_len));
+                skb->tail - (skb->network_header + dataoff +
+                             match_offset + match_len));
 
         /* insert data from buffer */
         memcpy(data + match_offset, rep_buffer, rep_len);