From 0e581e1cf79c3138ab9a9304f37cce057390d748 Mon Sep 17 00:00:00 2001
From: Chris Wright <chrisw@redhat.com>
Date: Wed, 21 Dec 2005 11:49:40 -0800
Subject: [PATCH] Add bridge netfilter w/ipv6 fix (randomly dropping packets),
 fwd from DaveM

---
 queue/fix-bridge-nf-ipv6-length-check.patch | 61 +++++++++++++++++++++
 queue/series                                |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 queue/fix-bridge-nf-ipv6-length-check.patch

diff --git a/queue/fix-bridge-nf-ipv6-length-check.patch b/queue/fix-bridge-nf-ipv6-length-check.patch
new file mode 100644
index 00000000000..a5a0850c211
--- /dev/null
+++ b/queue/fix-bridge-nf-ipv6-length-check.patch
@@ -0,0 +1,61 @@
+From stable-bounces@linux.kernel.org  Mon Dec 19 17:03:09 2005
+Date: Mon, 19 Dec 2005 17:00:13 -0800 (PST)
+Message-Id: <20051219.170013.123451098.davem@davemloft.net>
+To: stable@kernel.org
+From: "David S. Miller" <davem@davemloft.net>
+Subject: [BRIDGE-NF]: Fix bridge-nf ipv6 length check 
+
+From: Bart De Schuymer <bdschuym@pandora.be>
+
+A typo caused some bridged IPv6 packets to get dropped randomly,
+as reported by Sebastien Chaumontet. The patch below fixes this
+(using skb->nh.raw instead of raw) and also makes the jumbo packet
+length checking up-to-date with the code in
+net/ipv6/exthdrs.c::ipv6_hop_jumbo.
+
+Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@redhat.com>
+---
+
+ net/bridge/br_netfilter.c |   17 +++++++----------
+ 1 files changed, 7 insertions(+), 10 deletions(-)
+
+Index: linux-2.6.14.y/net/bridge/br_netfilter.c
+===================================================================
+--- linux-2.6.14.y.orig/net/bridge/br_netfilter.c
++++ linux-2.6.14.y/net/bridge/br_netfilter.c
+@@ -295,7 +295,7 @@ static int check_hbh_len(struct sk_buff 
+ 	len -= 2;
+ 
+ 	while (len > 0) {
+-		int optlen = raw[off+1]+2;
++		int optlen = skb->nh.raw[off+1]+2;
+ 
+ 		switch (skb->nh.raw[off]) {
+ 		case IPV6_TLV_PAD0:
+@@ -308,18 +308,15 @@ static int check_hbh_len(struct sk_buff 
+ 		case IPV6_TLV_JUMBO:
+ 			if (skb->nh.raw[off+1] != 4 || (off&3) != 2)
+ 				goto bad;
+-
+ 			pkt_len = ntohl(*(u32*)(skb->nh.raw+off+2));
+-
++			if (pkt_len <= IPV6_MAXPLEN ||
++			    skb->nh.ipv6h->payload_len)
++				goto bad;
+ 			if (pkt_len > skb->len - sizeof(struct ipv6hdr))
+ 				goto bad;
+-			if (pkt_len + sizeof(struct ipv6hdr) < skb->len) {
+-				if (__pskb_trim(skb,
+-				    pkt_len + sizeof(struct ipv6hdr)))
+-					goto bad;
+-				if (skb->ip_summed == CHECKSUM_HW)
+-					skb->ip_summed = CHECKSUM_NONE;
+-			}
++			if (pskb_trim_rcsum(skb,
++			    pkt_len+sizeof(struct ipv6hdr)))
++				goto bad;
+ 			break;
+ 		default:
+ 			if (optlen > len)
diff --git a/queue/series b/queue/series
index ec12f8d325f..f1fea1361d8 100644
--- a/queue/series
+++ b/queue/series
@@ -9,3 +9,4 @@ fix-vlan-checksumming.patch
 fix-nat-init-order.patch
 fix-incorrect-dependency-for-IP6_NF_TARGET_NFQUEUE.patch
 rtnetlink-fix-RTNLGRP-definitions-in-rtnetlink.h.patch
+fix-bridge-nf-ipv6-length-check.patch
-- 
2.47.3