more strict sanity check for ESP tail

Obtained from: KAME
author: suz <suz@FreeBSD.org> 2003-10-22 10:44:59 +0000
committer: suz <suz@FreeBSD.org> 2003-10-22 10:44:59 +0000
commit: d11ff9f6a5c129b73c529084ee6e105bb2d4da97 (patch)
tree: bed35451c649640834f3f79b0add725c621e142b
parent: 698ac71d64ee88fdadf4dd7a57b70b2971d06271 (diff)
download: FreeBSD-src-d11ff9f6a5c129b73c529084ee6e105bb2d4da97.zip
FreeBSD-src-d11ff9f6a5c129b73c529084ee6e105bb2d4da97.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c
index 44f7d0c..f2d802c 100644
--- a/sys/netinet6/esp_input.c
+++ b/sys/netinet6/esp_input.c
@@ -332,7 +332,7 @@ noreplaycheck:
 	taillen = esptail.esp_padlen + sizeof(esptail);
 
 	if (m->m_pkthdr.len < taillen ||
-	    m->m_pkthdr.len - taillen < hlen) {	/* ? */
+	    m->m_pkthdr.len - taillen < off + esplen + ivlen + sizeof(esptail)) {
 		ipseclog((LOG_WARNING,
 		    "bad pad length in IPv4 ESP input: %s %s\n",
 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
author	suz <suz@FreeBSD.org>	2003-10-22 10:44:59 +0000
committer	suz <suz@FreeBSD.org>	2003-10-22 10:44:59 +0000
commit	d11ff9f6a5c129b73c529084ee6e105bb2d4da97 (patch)
tree	bed35451c649640834f3f79b0add725c621e142b
parent	698ac71d64ee88fdadf4dd7a57b70b2971d06271 (diff)
download	FreeBSD-src-d11ff9f6a5c129b73c529084ee6e105bb2d4da97.zip FreeBSD-src-d11ff9f6a5c129b73c529084ee6e105bb2d4da97.tar.gz