5 files changed, 21 insertions, 13 deletions
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index eef07b0916a3..ea398ee43f28 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -474,9 +474,6 @@ static int ipip_rcv(struct sk_buff *skb)
        struct iphdr *iph;
        struct ip_tunnel *tunnel;
-        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                goto out;
        iph = skb->nh.iph;
        read_lock(&ipip_lock);
@@ -508,7 +505,6 @@ static int ipip_rcv(struct sk_buff *skb)
        }
        read_unlock(&ipip_lock);
-out:
        return -1;
 }
diff --git a/net/ipv4/tunnel4.c b/net/ipv4/tunnel4.c
index 0d7d386dac22..8d30c48f090e 100644
--- a/net/ipv4/tunnel4.c
+++ b/net/ipv4/tunnel4.c
@@ -8,6 +8,8 @@
 #include <linux/mutex.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
+#include <net/icmp.h>
+#include <net/ip.h>
 #include <net/protocol.h>
 #include <net/xfrm.h>
@@ -70,10 +72,16 @@ static int tunnel4_rcv(struct sk_buff *skb)
 {
        struct xfrm_tunnel *handler;
+        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+                goto drop;
        for (handler = tunnel4_handlers; handler; handler = handler->next)
                if (!handler->handler(skb))
                        return 0;
+        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+drop:
        kfree_skb(skb);
        return 0;
 }
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index 7a0b9524fe08..3e174c83bfe7 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -37,8 +37,6 @@ static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
 {
        switch (nexthdr) {
        case IPPROTO_IPIP:
-                if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                        return -EINVAL;
                *spi = skb->nh.iph->saddr;
                *seq = 0;
                return 0;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index ff9040c92556..a995796b5a57 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -519,9 +519,6 @@ ip6ip6_rcv(struct sk_buff *skb)
        struct ipv6hdr *ipv6h;
        struct ip6_tnl *t;
-        if (!pskb_may_pull(skb, sizeof (*ipv6h)))
-                goto discard;
        ipv6h = skb->nh.ipv6h;
        read_lock(&ip6ip6_lock);
@@ -529,8 +526,7 @@ ip6ip6_rcv(struct sk_buff *skb)
        if ((t = ip6ip6_tnl_lookup(&ipv6h->saddr, &ipv6h->daddr)) != NULL) {
                if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
                        read_unlock(&ip6ip6_lock);
-                        kfree_skb(skb);
+                        goto discard;
-                        return 0;
                }
                if (!(t->parms.flags & IP6_TNL_F_CAP_RCV)) {
@@ -557,9 +553,11 @@ ip6ip6_rcv(struct sk_buff *skb)
                return 0;
        }
        read_unlock(&ip6ip6_lock);
-        icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0, skb->dev);
-discard:
        return 1;
+discard:
+        kfree_skb(skb);
+        return 0;
 }
 static inline struct ipv6_txoptions *create_tel(__u8 encap_limit)
diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c
index 5659b52284bd..0ef9a35798d1 100644
--- a/net/ipv6/tunnel6.c
+++ b/net/ipv6/tunnel6.c
@@ -19,11 +19,13 @@
 *              YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
 */
+#include <linux/icmpv6.h>
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/mutex.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
+#include <net/ipv6.h>
 #include <net/protocol.h>
 #include <net/xfrm.h>
@@ -87,10 +89,16 @@ static int tunnel6_rcv(struct sk_buff **pskb)
        struct sk_buff *skb = *pskb;
        struct xfrm6_tunnel *handler;
+        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
+                goto drop;
        for (handler = tunnel6_handlers; handler; handler = handler->next)
                if (!handler->handler(skb))
                        return 0;
+        icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, skb->dev);
+drop:
        kfree_skb(skb);
        return 0;
 }