From nobody Fri Jun 12 20:16:54 2026 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E31C53C4B85 for ; Tue, 12 May 2026 20:51:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778619086; cv=none; b=tr/OdQCSx61llho/GwgEBFQyBeXCFQltcTCv0nljLdPHQ2zgZarHC5SGsr3EiCICZ6LRIS5sewPmAiV5O8RLkkj9ay4s4d7B6pEjjf+gTIloUU/6Em6xtsaRkWQFtwzj9WBACqb5FDTNEINYk7sc/Ww/GA7acuwV0eVu29lvszU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778619086; c=relaxed/simple; bh=SrGWi/6wHIXpn0Jzv1Nk8znKQrM+sdOspj2f3aHSYS0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tiElAuDJeTZk5txKWMby3dc2yvGMyFW7VvR7JdaN1HKpX5nXvYBPUOVOri/2BY3wE0fu23bx6GStl8nj200lOL29/KjAr8m1od8ax7ftnYxpKRx0Y/CUgxS2YvLDt67zLdG25bq3a1jTWnW/Ly+dDVLaO51VLZ6Co4yqhbiP4Ns= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=L4WGyJBq; arc=none smtp.client-ip=209.85.222.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="L4WGyJBq" Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8f15e900586so310819485a.1 for ; Tue, 12 May 2026 13:51:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778619081; x=1779223881; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gga6YQiahEkWcYcvgOogf9AGzn6VBTkh6VyNbP8w6hs=; b=L4WGyJBqW98rGzfUq48UkQf+sLoqqFqTRI8lsOY9ffyHrujzBc46X+w82lmEugol6+ 6CiCMw5AaJAXJs5x7AJiCKQczN/xlvzsFlEZjKHUMQ3smEUIVzrnvgaWzTAdQHA9rv/i UkQ/neWqYsrRVUtMWtK4qIsix3oaH4DCdYEMlcD9g8Bqt7i8MN+iK26pwgWncfW0i5Cb RWWQQHdyYfU/da8eXynlyL1UFFjUqO5ezHQ83AN3RGnBlKXMC/r0IU9wWzE0fT5KzeN6 Ny06CFroIcEVNJhWVDcqv+QyQ13sSY1EOAApL4mXVfFcS45wNTi7cYVVrlcaOJyzpPoc n3PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778619081; x=1779223881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Gga6YQiahEkWcYcvgOogf9AGzn6VBTkh6VyNbP8w6hs=; b=PWjohvshu8HBzBHxAyQo+qn5vbAHP9Rz1pYs3VJ2oJqexLXc25JQ0ji21qa+/bbD6E kKjCWTtt75kOZSSHKZ4p7Ej/xPxuXkm84CpcTGDHqsjoireqtvM58eUcYwt8I3FODAc6 r6PXja3ZU0K4z30gTCvMbPt9Hg8FARIQUur1YUYhvFN3ISj9T0ya4lXoEGEN2pxN/Xze l4wiFrXzvWJVrYNCf+xTQ0rRZXCpKF7W6WDJ0XZ8yujOqszsH3kQV4X6e6QAg3r6lHah I0Dz07nEnKuYZAarhJoT6+zd0WA2RhrgGj33MGj5gLsGkGuHr9FcTs3fw8h21C4rj2pm zx+A== X-Forwarded-Encrypted: i=1; AFNElJ/sd57WEoEVwfo01J+utHCV0QZSLQ5YncMgWIKANn6nAtGTTZjm0cQX8vv8ktAUsz4PiPPKpqd9e/rIyt4=@vger.kernel.org X-Gm-Message-State: AOJu0YwYpv1T5FiaMDaTxVFj7NKin2X3/MAgAw74iAYL/LqHMQwoRxHz 06J5em6SsVTq4ciYKAH5pSbk1rgJhj3WDV+X2x8Yhm08iUBey2KxmQM9 X-Gm-Gg: Acq92OHVZBNWIg83nbDMzQ7zTcLYHXzra/AXgvMAL1u+AhUHzIMU90wzN9we+q8yQI3 PIs3CVNYBaLzUcOnTWjVn4gPx4NCIiu5DY0HSK1swxmta6O5P4oiHGUhoAlhiEZaJFA5siJAcab Jr+vRIxXnDVY24FMn+WtvfUELNSeEBIR/GHVHJ4sUVnjf/hUgbwTuuX7pvAEbEUeUMZUrOZm+E4 jA83h2HZOmVVjaGVm5amj7P7jG77PDDARg6bJqXG3E7Ndp5yK9Rd6XQcMKePhjcEvQQXhAjTJ4K yd0Dcyid1hdAazafrxpLz3oK3wJxsO5kJFgEZr7Bp5H0JPKtkHkFeNp/5zU3xuBXvU28vzNIZMJ Rz22BZOEpLZsEZqLd98FGhNeXmpo75O1MD9WZHfOco81TtqTR7b5tckGooWCjXiqs7T8r6nHlmY BPQaJJT7OJ6IxKm3Vv6gwYqLb+yi/+jsZIBa7cQ8s9eQnHu2kB4tQ1lXZ6JAU56co6pPSWLnnEC Le+vpKj3+BUze81qH8NMg0LAowvViY8AS8nvsgSRTkDlBkeOhAVTw== X-Received: by 2002:a05:620a:d8e:b0:90b:263:f6b with SMTP id af79cd13be357-90fabcf968amr11126885a.21.1778619080781; Tue, 12 May 2026 13:51:20 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-907b8d9eed0sm1490734285a.19.2026.05.12.13.51.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 13:51:20 -0700 (PDT) From: Michael Bommarito To: Steffen Klassert , Herbert Xu , Eric Dumazet , netdev@vger.kernel.org Cc: "David S . Miller" , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , Maciej Zenczykowski , Kees Cook , Jeff Layton , "Gustavo A . R . Silva" , Pablo Neira Ayuso , Florian Westphal , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net 1/2] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Date: Tue, 12 May 2026 16:51:14 -0400 Message-ID: <77ec2b5e8111961c2c39883c92e8aa2709039c17.1778614451.git.michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" raw_send_hdrinc() validates that the caller-supplied IPv4 header fits within the message length: iphlen =3D iph->ihl * 4; err =3D -EINVAL; if (iphlen > length) goto error_free; if (iphlen >=3D sizeof(*iph)) { /* fix up saddr, tot_len, id, csum, transport_header */ } It does not, however, reject ihl < 5. For such a packet the "if (iphlen >=3D sizeof(*iph))" branch is skipped, leaving the crafted iphdr untouched, but the packet is still handed to __ip_local_out() and onward. Downstream consumers that read iph->ihl assume a sane value: net/ipv4/ah4.c:ah_output() in particular subtracts sizeof(struct iphdr) from top_iph->ihl * 4 and passes the (signed-int-negative, then cast to size_t) result to memcpy(), producing an OOB access of length close to SIZE_MAX and a host kernel panic. An IPv4 header with ihl < 5 is malformed by definition (RFC 791: "Internet Header Length is the length of the internet header in 32 bit words ... Note that the minimum value for a correct header is 5."). The kernel should not be willing to inject such a packet into its own output path. Reject "iphlen < sizeof(*iph)" alongside the existing "iphlen > length" check. This matches the principle that locally constructed packets that re-enter the IP stack must pass the same basic sanity tests that a foreign packet would be subjected to. Once this lands, the "if (iphlen >=3D sizeof(*iph))" wrapper around the fixup branch becomes redundant; left in place to keep the patch minimal and backport-friendly. A follow-up can unwrap it. Note that commit 86f4c90a1c5c ("ipv4, ipv6: ensure raw socket message is big enough to hold an IP header") ensures the message buffer is large enough to hold an iphdr, but does not constrain the self-reported iph->ihl. Reachability: the malformed packet source is any caller with CAP_NET_RAW, including an unprivileged process in a user+net namespace on a kernel with CONFIG_USER_NS=3Dy. The reproduced AH crash also requires a matching xfrm AH policy on the outgoing route; a container granted CAP_NET_ADMIN can install that state and policy in its netns. Loopback bypasses xfrm_output, so the trigger uses a real netdev. Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with memcpy_orig at the crash site. Same shape reproduces inside a rootless Docker container with --cap-add NET_ADMIN on a stock distro kernel. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Suggested-by: Herbert Xu Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ipv4/raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 5aaf9c62c8e1..68e88cb3e55c 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -391,7 +391,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flow= i4 *fl4, * in, reject the frame as invalid */ err =3D -EINVAL; - if (iphlen > length) + if (iphlen > length || iphlen < sizeof(*iph)) goto error_free; =20 if (iphlen >=3D sizeof(*iph)) { --=20 2.53.0 From nobody Fri Jun 12 20:16:54 2026 Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A1CB3C8195 for ; Tue, 12 May 2026 20:51:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778619087; cv=none; b=LuZwtRhKSUVuZqupY4ioPY6N85Hn8QOlawcjT/0wX40inR7vw3ntLOLeLoT+z0I2tL1FZhJxkX2cc112jWrJsxRKVlkQyARoGEfO2M11kgiNgk9cq3Mzn6xKQcLDw1mtEAJJoN7+EtgWmg/D5DohbMDs7i5u7c4YW0T9SDfW6NM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778619087; c=relaxed/simple; bh=J5gmNSPNQxxcqs8XDR9P+NOgy6ibnVJAuMTAtqZpUZ4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ovQAGLI3wgbEMHCvJ/OK7EUbuDwD+uorchM7QDBTvQtFmEEMZ2HG8SiKT6/PkIcLsFIEUckYUNb8MiO2RCupqXFnoK828MmDM7rt9ZIYti151J1m2yZvEeczlEw+t8BnIfbbb7BOqdNgkcsytRX/LVmgd3kw5L2UgoZtCJkk/WM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YKDuELNx; arc=none smtp.client-ip=209.85.222.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YKDuELNx" Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-90d2acb9936so119630285a.0 for ; Tue, 12 May 2026 13:51:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778619082; x=1779223882; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RpARctubxx8lA4XtZtvDCBF0ktNsLEKbeHjau0kupPc=; b=YKDuELNxPRrDXZRddMTCvxBXg7tuOMXxHNohdJP86e9wVCAjhJQf0FWbA8tMPE3TEk lRKj2tBaUEN1lrjuK/HrsJpEHPlT1YZqUJWK0puHJjVn+g5/GnI/oa3YI6/Al2df2f1E r0bJ17t477l3849Whf3YPA8IrqxYJspTaGMQb7MQdIKZzrpoKOArn25n5m3k8PYXX2cH TzKA58WKiCi9QSfjOBAjypwkiKq8tZK/+NXaggA94FUI+2Q1XYAfRksslU0WhItrrQqr +hYrX93WSpcUo1MOOaLU1iyk43fL2Nn8GZSBJEyWbFPNoqiveHZJH/KlL6lWwkllAUgq rFjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778619082; x=1779223882; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RpARctubxx8lA4XtZtvDCBF0ktNsLEKbeHjau0kupPc=; b=a1bPzWn/mPzrLAtcz77HWDTs3SV2mLwCUXmCWQUQle+QvEc8HrtKtI07PmMTAYHABi AqslHJWuOzBlTQRCrUtaqJnTtFVTQnziFSDkGUgh9yWKCYl+Ts25QJGtNLjHJUDK4hWs Ha6vT6eondsVvl4vjE/C7ZVM21b3oUk3/gS7WJ821/qI5Urg+I49AwYaJyk1XF703Wla xO93izQ/glIjxV1/8IgGedWYqXSfp5hSjr3ucuPdNrXQyUKAm28NyaqobXQ7B7cTJ8k3 Yu2q3+BtvA6kvhfXSbvJ+xSRwhqHs8TWKZRZcN4Em9SAwCC0rTeUWs3TKBvKZ+FxT9Xr mxsQ== X-Forwarded-Encrypted: i=1; AFNElJ8MRmRcWvVku7eJwkNMDkdRBspkURvaDmRkIEp4dpalZqA9CwONF5OTXzmeiaFVAtE7bqlT7O5qHsQxcmA=@vger.kernel.org X-Gm-Message-State: AOJu0YwLQcyuKqQMDYfVabpt8m6JQhywwD+6T8gucdeDh33i0n5lyoId cvGN3sn4wvakmBBSyy+W2AlM/2caZjD1pzQuDpR2ZGtiU76PxWJ1lgnm X-Gm-Gg: Acq92OGuojoSdxq2/WEgXQwnztNwTatFL09/aCMuRpGe4Ae4GCcQi+q9w5/y4NOBp85 QxpoSWDbkaqFcQk8snBr1JqY/u2Xo5Ulm5rmrQsDX/MzQ15Zs4H4me8ZtJOI+GwL0GvsBxsFr2z Z3WlQLFDkiJHkDTiwhYfb5FrmPHLkTsipxVpb9PJPOhs7v/Pxl5lLe2O0JAfHkF+tOJdJMpOfv3 f5CblVv7QfmlrGBoGl9KKYRUik7jmE/9aBFdWapkK4SYXHfjxKHSLaPFbCcgrO3HTsk9A99Xov9 u1ypqLzxwwtGAReztQN65xNcdLZ8i5J5TdiGHzzEdVRAPa4+lDZe5xEJeNiNhOdU0DvLv05s1Cn e7TMAZe+U1Mp/YzrRU4P5cwaO6zjfTXTc1zJopQiInnSgF9xG00Mq7GdmmzHHBffAmDUYPisap6 jhgLaxtzl68s95VJbOzPMoKKVHe7G1w7fGoIKl5tCD13K9soZkRr/f/7LmsV0rUSfxZlCrQWt/F sKea6v5MhV7Tefdsy8OhzIaHRrpFI/EvJHiwm/9ryk= X-Received: by 2002:a05:620a:7003:b0:8eb:10d4:a46c with SMTP id af79cd13be357-90facf9e383mr9443985a.35.1778619082195; Tue, 12 May 2026 13:51:22 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-907b8d9eed0sm1490734285a.19.2026.05.12.13.51.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 13:51:21 -0700 (PDT) From: Michael Bommarito To: Steffen Klassert , Herbert Xu , Eric Dumazet , netdev@vger.kernel.org Cc: "David S . Miller" , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , Maciej Zenczykowski , Kees Cook , Jeff Layton , "Gustavo A . R . Silva" , Pablo Neira Ayuso , Florian Westphal , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net 2/2] ipv4: ah: harden ah_output options-copy guard against ihl < 5 Date: Tue, 12 May 2026 16:51:15 -0400 Message-ID: <423b9ce3b45782c09a2fd9c65ad6674a9abb7c72.1778614451.git.michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ah_output() and ah_output_done() copy the IPv4 options area with if (top_iph->ihl !=3D 5) { memcpy(dst, src, top_iph->ihl * 4 - sizeof(struct iphdr)); } The "!=3D 5" guard correctly excludes the no-options case (ihl =3D=3D 5) and allows ihl > 5 where options are present. It does NOT exclude ihl < 5. For ihl in [0, 4], top_iph->ihl * 4 is less than sizeof(struct iphdr) (20); the subtraction is computed as int, becomes negative, and is then implicitly converted to size_t at the memcpy() call. The resulting length is close to SIZE_MAX and memcpy walks off the slab allocation backing the skb's network header. With the preceding patch ("ipv4: raw: reject IP_HDRINCL packets with ihl < 5") in place, an ihl < 5 packet from a raw IP_HDRINCL socket is rejected before it reaches the local-output path. However, post-LOCAL_OUT hook mangling (nftables payload-set, NFQUEUE reinject) can still rewrite the IPv4 header after the raw_send_hdrinc validation has run and deliver an ihl < 5 packet to ah_output(). Reachability of this path requires CAP_NET_ADMIN in the relevant netns; it is a smaller class than the original CAP_NET_RAW path but it is not zero. Independently of the post-LOCAL_OUT mangling question, the AH consumer should not contain a memcpy whose size is derived from an attacker-influenced field without a floor. Change the guard to "top_iph->ihl > 5" at all three sites: - ah_output_done() (the .complete callback path) - ah_output() (the synchronous options-copy site) - ah_output() (the post-hash restore site) Behavior for valid packets (ihl in {5, 6, ..., 15}) is unchanged. For malformed packets with ihl < 5, the options copy is cleanly skipped; the malformed field no longer becomes a huge memcpy length. This is the defense-in-depth half of the series; the upstream sanity check in the preceding patch is the primary fix. A mirror-pattern audit found no analogous bug in ah_input(), ip_clear_mutable_options(), or net/ipv6/ah6.c (IPv6 has a fixed-length header and no IP_HDRINCL equivalent for crafting an ihl < 5 ipv6hdr). Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with memcpy_orig at the crash site on a pre-fix kernel. The AH guard was verified by forcing the same packets through xfrm: the xfrm state counter incremented and no KASAN splat or panic occurred. With the preceding patch in this series, the original raw IP_HDRINCL path is rejected before AH. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ipv4/ah4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index 4366cbac3f06..8fa31bdf9792 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -137,7 +137,7 @@ static void ah_output_done(void *data, int err) top_iph->tos =3D iph->tos; top_iph->ttl =3D iph->ttl; top_iph->frag_off =3D iph->frag_off; - if (top_iph->ihl !=3D 5) { + if (top_iph->ihl > 5) { top_iph->daddr =3D iph->daddr; memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr)); } @@ -197,7 +197,7 @@ static int ah_output(struct xfrm_state *x, struct sk_bu= ff *skb) iph->ttl =3D top_iph->ttl; iph->frag_off =3D top_iph->frag_off; =20 - if (top_iph->ihl !=3D 5) { + if (top_iph->ihl > 5) { iph->daddr =3D top_iph->daddr; memcpy(iph+1, top_iph+1, top_iph->ihl*4 - sizeof(struct iphdr)); err =3D ip_clear_mutable_options(top_iph, &top_iph->daddr); @@ -253,7 +253,7 @@ static int ah_output(struct xfrm_state *x, struct sk_bu= ff *skb) top_iph->tos =3D iph->tos; top_iph->ttl =3D iph->ttl; top_iph->frag_off =3D iph->frag_off; - if (top_iph->ihl !=3D 5) { + if (top_iph->ihl > 5) { top_iph->daddr =3D iph->daddr; memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr)); } --=20 2.53.0