3 files changed, 30 insertions, 5 deletions

diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index c62dd247774f..7712578bdc66 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -323,17 +323,21 @@ static struct ip6_flowlabel *
 fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
           int optlen, int *err_p)
 {
-        struct ip6_flowlabel *fl;
+        struct ip6_flowlabel *fl = NULL;
         int olen;
         int addr_type;
         int err;
 
+        olen = optlen - CMSG_ALIGN(sizeof(*freq));
+        err = -EINVAL;
+        if (olen > 64 * 1024)
+                goto done;
+
         err = -ENOMEM;
         fl = kzalloc(sizeof(*fl), GFP_KERNEL);
         if (fl == NULL)
                 goto done;
 
-        olen = optlen - CMSG_ALIGN(sizeof(*freq));
         if (olen > 0) {
                 struct msghdr msg;
                 struct flowi flowi;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 58e2b0d93758..d994c55a5b16 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -249,8 +249,8 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct ip6_tnl_parm *p)
         }
 
         t = netdev_priv(dev);
-        ip6_tnl_dev_init(dev);
         t->parms = *p;
+        ip6_tnl_dev_init(dev);
 
         if ((err = register_netdevice(dev)) < 0)
                 goto failed_free;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index c455cf4ee756..c323643ffcf9 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -49,8 +49,19 @@ static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
 static const u_int8_t invmap[] = {
         [ICMPV6_ECHO_REQUEST - 128]     = ICMPV6_ECHO_REPLY + 1,
         [ICMPV6_ECHO_REPLY - 128]       = ICMPV6_ECHO_REQUEST + 1,
-        [ICMPV6_NI_QUERY - 128]         = ICMPV6_NI_QUERY + 1,
-        [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_REPLY +1
+        [ICMPV6_NI_QUERY - 128]         = ICMPV6_NI_REPLY + 1,
+        [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_QUERY +1
+};
+
+static const u_int8_t noct_valid_new[] = {
+        [ICMPV6_MGM_QUERY - 130] = 1,
+        [ICMPV6_MGM_REPORT -130] = 1,
+        [ICMPV6_MGM_REDUCTION - 130] = 1,
+        [NDISC_ROUTER_SOLICITATION - 130] = 1,
+        [NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
+        [NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
+        [NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
+        [ICMPV6_MLD2_REPORT - 130] = 1
 };
 
 static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
@@ -178,6 +189,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
 {
         const struct icmp6hdr *icmp6h;
         struct icmp6hdr _ih;
+        int type;
 
         icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
         if (icmp6h == NULL) {
@@ -194,6 +206,15 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
                 return -NF_ACCEPT;
         }
 
+        type = icmp6h->icmp6_type - 130;
+        if (type >= 0 && type < sizeof(noct_valid_new) &&
+            noct_valid_new[type]) {
+                skb->nfct = &nf_conntrack_untracked.ct_general;
+                skb->nfctinfo = IP_CT_NEW;
+                nf_conntrack_get(skb->nfct);
+                return NF_ACCEPT;
+        }
+
         /* is not error message ? */
         if (icmp6h->icmp6_type >= 128)
                 return NF_ACCEPT;