arp: fix possible crash in arp_rcv()

static int arp_rcv(struct sk_buff *skb, struct net_device *dev,

		   struct packet_type *pt, struct net_device *orig_dev)

{

	struct arphdr *arp;

	const struct arphdr *arp;

	if (dev->flags & IFF_NOARP ||

	    skb->pkt_type == PACKET_OTHERHOST ||

	    skb->pkt_type == PACKET_LOOPBACK)

		goto freeskb;

	skb = skb_share_check(skb, GFP_ATOMIC);

	if (!skb)

		goto out_of_mem;

	/* ARP header, plus 2 device addresses, plus 2 IP addresses.  */

	if (!pskb_may_pull(skb, arp_hdr_len(dev)))

		goto freeskb;

	arp = arp_hdr(skb);

	if (arp->ar_hln != dev->addr_len ||

	    dev->flags & IFF_NOARP ||

	    skb->pkt_type == PACKET_OTHERHOST ||

	    skb->pkt_type == PACKET_LOOPBACK ||

	    arp->ar_pln != 4)

	if (arp->ar_hln != dev->addr_len || arp->ar_pln != 4)

		goto freeskb;

	skb = skb_share_check(skb, GFP_ATOMIC);

	if (skb == NULL)

		goto out_of_mem;

	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));

	return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);