I proudly participated in the tracking down and fixing of a problem in ip_masq_raudio.c module for 2.2.x kernels. The problematic code assumed a fixed tcp packet header length. For QT4 this is often not the case, where the option component of the packet header is utilized.
The incorrect code:
th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]); data = (char *)&th[1];Corrected:th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]); data = (char *)th + (th->doff * 4);The patched code is ip_masq_raudio.c
There are many other places in the ip_masq. . . code where this error occurs. To me these are time bombs waiting to be triggered. Here's a Q&D script that finds and fixes this code in the /usr/src/linux/net/ipv4/ sub directory:
for f in `fgrep -l "&th[1]" *.c` ; do mv $f $f.orig sed -e 's/\&th\[1\]/th + (th->doff * 4)/g' $f.orig > $f done