xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish

IPv6 payload length indicates the size of the payload, including any extension headers. In xfrm6_transport_finish, ipv6_hdr(skb)->payload_len is set to the payload size only, regardless of the presence of any extension headers. After ESP GRO transport mode decapsulation, ipv6_rcv trims the packet according to the wrong payload_len, thus corrupting the packet. Set payload_len to account for extension headers as well. Fixes: 7785bba ("esp: Add a software GRO codepath") Signed-off-by: Yossi Kuperman <[email protected]> Signed-off-by: Steffen Klassert <[email protected]>
ambv · Jun 22, 2017 · 7c88e21 · 7c88e21
1 parent e747f64
commit 7c88e21
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
@@ -43,8 +43,8 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
 		return 1;
 #endif
 
-	ipv6_hdr(skb)->payload_len = htons(skb->len);
 	__skb_push(skb, skb->data - skb_network_header(skb));
+	ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
 
 	if (xo && (xo->flags & XFRM_GRO)) {
 		skb_mac_header_rebuild(skb);