Oskar Kjos

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw exists in the `ip4ip6 err()` function where it calls `icmp send()` using a cloned socket buffer (`skb`) containing `cb[]` data written as `struct inet6 skb parm`. The `icmp send()` function passes `IPCB(skb2)` to ` ip options echo()`, which incorrectly interprets the `cb[]` region as `struct inet skb parm` (IPv4). Because the layouts differ, `inet6 skb parm.nhoff` overlaps with `inet skb parm.opt.rr`, resulting in a non-zero `rr` value. This allows ` ip options echo()` to read an `optlen` value from attacker-controlled packet data and copy an arbitrary amount of bytes into `dopt-> data`, which is a fixed 40-byte stack buffer. **Recommendations** Clear the `skb2->cb[]` in the `ip4ip6 err()` function. Implement minimal IPv4 header validation to ensure the version is 4 and the internet header length (`ihl`) is at least 5.