In handle_arp_snat() and snat_pre_route() pull enough payload into the headers.

There is no guarantee that the device put any data at all into the header.
The e1000 device, for example, appears to not put any data into the header
when the packet is longer than its configured copybreak value, which is
256 bytes by default.  So we need to do it ourselves.

diff --git a/datapath/nx_act_snat.c b/datapath/nx_act_snat.c
index 6334285780ab58b98861bb74002a1c74ab1b07c9..8bf2ed71b4ab59b2bab49901b72459510d6bd0dd 100644 (file)
--- a/datapath/nx_act_snat.c
+++ b/datapath/nx_act_snat.c
@@ -205,6 +205,9 @@ handle_arp_snat(struct sk_buff *skb)
        struct net_bridge_port *p = skb->dev->br_port;
        struct ip_arphdr *ah = (struct ip_arphdr *)arp_hdr(skb);
 
+       if (!pskb_may_pull(skb, sizeof *ah))
+               return 0;
+
        if ((ah->ar_op != htons(ARPOP_REQUEST)) 
                        || ah->ar_hln != ETH_ALEN
                        || ah->ar_pro != htons(ETH_P_IP)
@@ -305,6 +308,9 @@ snat_pre_route(struct sk_buff *skb)
        else if (skb->protocol != htons(ETH_P_IP)) 
                return 0;
 
+       if (!pskb_may_pull(skb, sizeof *iph))
+               goto ipv4_error;
+
        iph = ip_hdr(skb);
        if (iph->ihl < 5 || iph->version != 4)
                goto ipv4_error;