4 files changed, 27 insertions, 45 deletions

diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 6778173a3dda..d31c0d6c0448 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -292,7 +292,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
 
                 memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
                 memset(ah->auth_data, 0, ahp->icv_trunc_len);
-                skb_push(skb, skb->data - skb->nh.raw);
+                skb_push(skb, hdr_len);
                 ahp->icv(ahp, skb, ah->auth_data);
                 if (memcmp(ah->auth_data, auth_data, ahp->icv_trunc_len)) {
                         LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
@@ -301,12 +301,8 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
                 }
         }
 
-        skb->nh.raw = skb_pull(skb, ah_hlen);
-        memcpy(skb->nh.raw, tmp_hdr, hdr_len);
-        skb->nh.ipv6h->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
-        skb_pull(skb, hdr_len);
-        skb->h.raw = skb->data;
-
+        skb->h.raw = memcpy(skb->nh.raw += ah_hlen, tmp_hdr, hdr_len);
+        __skb_pull(skb, ah_hlen + hdr_len);
 
         kfree(tmp_hdr);
 
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 22f046079037..a15a6f320f70 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -142,25 +142,17 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
 
         int hdr_len = skb->h.raw - skb->nh.raw;
         int nfrags;
-        unsigned char *tmp_hdr = NULL;
         int ret = 0;
 
         if (!pskb_may_pull(skb, sizeof(struct ipv6_esp_hdr))) {
                 ret = -EINVAL;
-                goto out_nofree;
+                goto out;
         }
 
         if (elen <= 0 || (elen & (blksize-1))) {
                 ret = -EINVAL;
-                goto out_nofree;
-        }
-
-        tmp_hdr = kmalloc(hdr_len, GFP_ATOMIC);
-        if (!tmp_hdr) {
-                ret = -ENOMEM;
-                goto out_nofree;
+                goto out;
         }
-        memcpy(tmp_hdr, skb->nh.raw, hdr_len);
 
         /* If integrity check is required, do this. */
         if (esp->auth.icv_full_len) {
@@ -222,16 +214,12 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                 /* ... check padding bits here. Silly. :-) */ 
 
                 pskb_trim(skb, skb->len - alen - padlen - 2);
-                skb->h.raw = skb_pull(skb, sizeof(struct ipv6_esp_hdr) + esp->conf.ivlen);
-                skb->nh.raw += sizeof(struct ipv6_esp_hdr) + esp->conf.ivlen;
-                memcpy(skb->nh.raw, tmp_hdr, hdr_len);
-                skb->nh.ipv6h->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
                 ret = nexthdr[1];
         }
 
+        skb->h.raw = __skb_pull(skb, sizeof(*esph) + esp->conf.ivlen) - hdr_len;
+
 out:
-        kfree(tmp_hdr);
-out_nofree:
         return ret;
 }
 
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 48636436028a..cec3be544b69 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -66,10 +66,8 @@ static LIST_HEAD(ipcomp6_tfms_list);
 static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
 {
         int err = 0;
-        u8 nexthdr = 0;
-        int hdr_len = skb->h.raw - skb->nh.raw;
-        unsigned char *tmp_hdr = NULL;
         struct ipv6hdr *iph;
+        struct ipv6_comp_hdr *ipch;
         int plen, dlen;
         struct ipcomp_data *ipcd = x->data;
         u8 *start, *scratch;
@@ -86,17 +84,9 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
 
         /* Remove ipcomp header and decompress original payload */
         iph = skb->nh.ipv6h;
-        tmp_hdr = kmalloc(hdr_len, GFP_ATOMIC);
-        if (!tmp_hdr)
-                goto out;
-        memcpy(tmp_hdr, iph, hdr_len);
-        nexthdr = *(u8 *)skb->data;
-        skb_pull(skb, sizeof(struct ipv6_comp_hdr)); 
-        skb->nh.raw += sizeof(struct ipv6_comp_hdr);
-        memcpy(skb->nh.raw, tmp_hdr, hdr_len);
-        iph = skb->nh.ipv6h;
-        iph->payload_len = htons(ntohs(iph->payload_len) - sizeof(struct ipv6_comp_hdr));
-        skb->h.raw = skb->data;
+        ipch = (void *)skb->data;
+        skb->h.raw = skb->nh.raw + sizeof(*ipch);
+        __skb_pull(skb, sizeof(*ipch));
 
         /* decompression */
         plen = skb->len;
@@ -125,18 +115,11 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
 
         skb_put(skb, dlen - plen);
         memcpy(skb->data, scratch, dlen);
+        err = ipch->nexthdr;
 
-        iph = skb->nh.ipv6h;
-        iph->payload_len = htons(skb->len);
-        
 out_put_cpu:
         put_cpu();
 out:
-        kfree(tmp_hdr);
-        if (err)
-                goto error_out;
-        return nexthdr;
-error_out:
         return err;
 }
 
diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
index 5efbbae08ef0..711d713e36d8 100644
--- a/net/ipv6/xfrm6_mode_transport.c
+++ b/net/ipv6/xfrm6_mode_transport.c
@@ -42,8 +42,23 @@ static int xfrm6_transport_output(struct sk_buff *skb)
         return 0;
 }
 
+/* Remove encapsulation header.
+ *
+ * The IP header will be moved over the top of the encapsulation header.
+ *
+ * On entry, skb->h shall point to where the IP header should be and skb->nh
+ * shall be set to where the IP header currently is.  skb->data shall point
+ * to the start of the payload.
+ */
 static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 {
+        int ihl = skb->data - skb->h.raw;
+
+        if (skb->h.raw != skb->nh.raw)
+                skb->nh.raw = memmove(skb->h.raw, skb->nh.raw, ihl);
+        skb->nh.ipv6h->payload_len = htons(skb->len + ihl -
+                                           sizeof(struct ipv6hdr));
+        skb->h.raw = skb->data;
         return 0;
 }