diff options
author | ume <ume@FreeBSD.org> | 2002-08-24 04:48:13 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2002-08-24 04:48:13 +0000 |
commit | a37394066bdd8b2619163284b14eb9cceca8d096 (patch) | |
tree | bd04dc063e58be7ab5ab239c4f1448007678c480 | |
parent | aed4b3d58b66e9ca76769def19dd84863de2a348 (diff) | |
download | FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.zip FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.tar.gz |
check packet length before fetching ESP crypto checksum.
Obtained from: KAME
MFC after: 2 days
-rw-r--r-- | sys/netinet6/esp_input.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c index 1ad8dcd..b038f6c 100644 --- a/sys/netinet6/esp_input.c +++ b/sys/netinet6/esp_input.c @@ -217,6 +217,10 @@ esp4_input(m, off) if (!sumalgo) goto noreplaycheck; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); + if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { + ipsecstat.in_inval++; + goto bad; + } if (AH_MAXSUMSIZE < siz) { ipseclog((LOG_DEBUG, "internal error: AH_MAXSUMSIZE must be larger than %lu\n", @@ -572,6 +576,10 @@ esp6_input(mp, offp, proto) if (!sumalgo) goto noreplaycheck; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); + if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { + ipsecstat.in_inval++; + goto bad; + } if (AH_MAXSUMSIZE < siz) { ipseclog((LOG_DEBUG, "internal error: AH_MAXSUMSIZE must be larger than %lu\n", |