check packet length before fetching ESP crypto checksum.

Obtained from: KAME MFC after: 2 days
author: ume <ume@FreeBSD.org> 2002-08-24 04:48:13 +0000
committer: ume <ume@FreeBSD.org> 2002-08-24 04:48:13 +0000
commit: a37394066bdd8b2619163284b14eb9cceca8d096 (patch)
tree: bd04dc063e58be7ab5ab239c4f1448007678c480 /sys/netinet6
parent: aed4b3d58b66e9ca76769def19dd84863de2a348 (diff)
download: FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.zip
FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c
index 1ad8dcd..b038f6c 100644
--- a/sys/netinet6/esp_input.c
+++ b/sys/netinet6/esp_input.c
@@ -217,6 +217,10 @@ esp4_input(m, off)
 	if (!sumalgo)
 		goto noreplaycheck;
 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
+	if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
+		ipsecstat.in_inval++;
+		goto bad;
+	}
 	if (AH_MAXSUMSIZE < siz) {
 		ipseclog((LOG_DEBUG,
 		    "internal error: AH_MAXSUMSIZE must be larger than %lu\n",
@@ -572,6 +576,10 @@ esp6_input(mp, offp, proto)
 	if (!sumalgo)
 		goto noreplaycheck;
 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
+	if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
+		ipsecstat.in_inval++;
+		goto bad;
+	}
 	if (AH_MAXSUMSIZE < siz) {
 		ipseclog((LOG_DEBUG,
 		    "internal error: AH_MAXSUMSIZE must be larger than %lu\n",
author	ume <ume@FreeBSD.org>	2002-08-24 04:48:13 +0000
committer	ume <ume@FreeBSD.org>	2002-08-24 04:48:13 +0000
commit	a37394066bdd8b2619163284b14eb9cceca8d096 (patch)
tree	bd04dc063e58be7ab5ab239c4f1448007678c480 /sys/netinet6
parent	aed4b3d58b66e9ca76769def19dd84863de2a348 (diff)
download	FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.zip FreeBSD-src-a37394066bdd8b2619163284b14eb9cceca8d096.tar.gz