4 files changed, 8 insertions, 12 deletions
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 87c45cbfbaf6..771b47e30f86 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -416,7 +416,7 @@ extern void			ipv6_push_frag_opts(struct sk_buff *skb,
                                                    u8 *proto);
 extern int                      ipv6_skip_exthdr(const struct sk_buff *, int start,
-                                                 u8 *nexthdrp, int len);
+                                                 u8 *nexthdrp);
 extern int                      ipv6_ext_hdr(u8 nexthdr);
diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c
index 6dda815c013f..315bc1fbec3f 100644
--- a/net/ipv6/exthdrs_core.c
+++ b/net/ipv6/exthdrs_core.c
@@ -41,8 +41,8 @@ int ipv6_ext_hdr(u8 nexthdr)
 * when Linux implements ESP (and maybe AUTH) headers.
 * --AK
 *
- * This function parses (probably truncated) exthdr set "hdr"
+ * This function parses (probably truncated) exthdr set "hdr".
- * of length "len". "nexthdrp" initially points to some place,
+ * "nexthdrp" initially points to some place,
 * where type of the first header can be found.
 *
 * It skips all well-known exthdrs, and returns pointer to the start
@@ -63,7 +63,7 @@ int ipv6_ext_hdr(u8 nexthdr)
 * --ANK (980726)
 */
-int ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp, int len)
+int ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp)
 {
        u8 nexthdr = *nexthdrp;
@@ -71,13 +71,11 @@ int ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp, int len
                struct ipv6_opt_hdr _hdr, *hp;
                int hdrlen;
-                if (len < (int)sizeof(struct ipv6_opt_hdr))
-                        return -1;
                if (nexthdr == NEXTHDR_NONE)
                        return -1;
                hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
                if (hp == NULL)
-                        BUG();
+                        return -1;
                if (nexthdr == NEXTHDR_FRAGMENT) {
                        unsigned short _frag_off, *fp;
                        fp = skb_header_pointer(skb,
@@ -97,7 +95,6 @@ int ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp, int len
                        hdrlen = ipv6_optlen(hp); 
                nexthdr = hp->nexthdr;
-                len -= hdrlen;
                start += hdrlen;
        }
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 87b9082ceab2..8e0f569b883e 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -135,7 +135,7 @@ static int is_ineligible(struct sk_buff *skb)
        if (len < 0)
                return 1;
-        ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, len);
+        ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr);
        if (ptr < 0)
                return 0;
        if (nexthdr == IPPROTO_ICMPV6) {
@@ -514,7 +514,7 @@ static void icmpv6_notify(struct sk_buff *skb, int type, int code, u32 info)
        nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr;
        if (ipv6_ext_hdr(nexthdr)) {
                /* now skip over extension headers */
-                inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, skb->len - sizeof(struct ipv6hdr));
+                inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr);
                if (inner_offset<0)
                        return;
        } else {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2ae7d3cb8df4..0d378141c95a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2855,8 +2855,7 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad
        nexthdr = ip6->nexthdr;
        offset += sizeof(_ipv6h);
-        offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
+        offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
-                                  skb->tail - skb->head - offset);
        if (offset < 0)
                goto out;