Comment 1 for bug 1065150

Here is the patch submitted to upstream net tree. Waiting for it to be accepted:

From: Sarveshwar Bandi <email address hidden>

If lower layer driver leaves the ip header in the skb fragment, it needs to be first pulled into skb->data before inspecting ip header length or ip version number.

Signed-off-by: Sarveshwar Bandi <email address hidden>
---
 net/bridge/br_netfilter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 68e8f36..fe43bc7 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -265,6 +265,9 @@ static int br_parse_ip_options(struct sk_buff *skb)
  struct net_device *dev = skb->dev;
  u32 len;

+ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+ goto inhdr_error;
+
  iph = ip_hdr(skb);
  opt = &(IPCB(skb)->opt);

--
1.7.9.5