summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorume <ume@FreeBSD.org>2002-08-24 04:48:13 +0000
committerume <ume@FreeBSD.org>2002-08-24 04:48:13 +0000
commita37394066bdd8b2619163284b14eb9cceca8d096 (patch)
treebd04dc063e58be7ab5ab239c4f1448007678c480
parentaed4b3d58b66e9ca76769def19dd84863de2a348 (diff)
downloadFreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.zip
FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.tar.gz
check packet length before fetching ESP crypto checksum.
Obtained from: KAME MFC after: 2 days
-rw-r--r--sys/netinet6/esp_input.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c
index 1ad8dcd..b038f6c 100644
--- a/sys/netinet6/esp_input.c
+++ b/sys/netinet6/esp_input.c
@@ -217,6 +217,10 @@ esp4_input(m, off)
if (!sumalgo)
goto noreplaycheck;
siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
+ if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
+ ipsecstat.in_inval++;
+ goto bad;
+ }
if (AH_MAXSUMSIZE < siz) {
ipseclog((LOG_DEBUG,
"internal error: AH_MAXSUMSIZE must be larger than %lu\n",
@@ -572,6 +576,10 @@ esp6_input(mp, offp, proto)
if (!sumalgo)
goto noreplaycheck;
siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
+ if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
+ ipsecstat.in_inval++;
+ goto bad;
+ }
if (AH_MAXSUMSIZE < siz) {
ipseclog((LOG_DEBUG,
"internal error: AH_MAXSUMSIZE must be larger than %lu\n",
OpenPOWER on IntegriCloud