3 files changed, 8 insertions, 6 deletions

diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index eef07b0916a3..ea398ee43f28 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -474,9 +474,6 @@ static int ipip_rcv(struct sk_buff *skb)
         struct iphdr *iph;
         struct ip_tunnel *tunnel;
 
-        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                goto out;
-
         iph = skb->nh.iph;
 
         read_lock(&ipip_lock);
@@ -508,7 +505,6 @@ static int ipip_rcv(struct sk_buff *skb)
         }
         read_unlock(&ipip_lock);
 
-out:
         return -1;
 }
 
diff --git a/net/ipv4/tunnel4.c b/net/ipv4/tunnel4.c
index 0d7d386dac22..8d30c48f090e 100644
--- a/net/ipv4/tunnel4.c
+++ b/net/ipv4/tunnel4.c
@@ -8,6 +8,8 @@
 #include <linux/mutex.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
+#include <net/icmp.h>
+#include <net/ip.h>
 #include <net/protocol.h>
 #include <net/xfrm.h>
 
@@ -70,10 +72,16 @@ static int tunnel4_rcv(struct sk_buff *skb)
 {
         struct xfrm_tunnel *handler;
 
+        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+                goto drop;
+
         for (handler = tunnel4_handlers; handler; handler = handler->next)
                 if (!handler->handler(skb))
                         return 0;
 
+        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+
+drop:
         kfree_skb(skb);
         return 0;
 }
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index 7a0b9524fe08..3e174c83bfe7 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -37,8 +37,6 @@ static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
 {
         switch (nexthdr) {
         case IPPROTO_IPIP:
-                if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                        return -EINVAL;
                 *spi = skb->nh.iph->saddr;
                 *seq = 0;
                 return 0;