[IPV6] XFRM: Fix decoding session with preceding extension header(s).

We did not correctly decode session with preceding extension
header(s).  This was because we had already pulled preceding
headers, skb->nh.raw + 40 + 1 - skb->data was minus, and
pskb_may_pull() failed.

We now have IP6CB(skb)->nhoff and skb->h.raw, and we can
start parsing / decoding upper layer protocol from current
position.

Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
and tested by Kazunori Miyazawa <kazunori@miyazawa.org>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 588922bd926487e5f2df6e1001059d43ff84e175..88c840f1beb678a373284799dc6f8a693fd89544 100644 (file)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -191,10 +191,10 @@ error:
 static inline void
 _decode_session6(struct sk_buff *skb, struct flowi *fl)
 {
-       u16 offset = sizeof(struct ipv6hdr);
+       u16 offset = skb->h.raw - skb->nh.raw;
        struct ipv6hdr *hdr = skb->nh.ipv6h;
        struct ipv6_opt_hdr *exthdr;
-       u8 nexthdr = skb->nh.ipv6h->nexthdr;
+       u8 nexthdr = skb->nh.raw[IP6CB(skb)->nhoff];
 
        memset(fl, 0, sizeof(struct flowi));
        ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr);