From a37394066bdd8b2619163284b14eb9cceca8d096 Mon Sep 17 00:00:00 2001
From: ume <ume@FreeBSD.org>
Date: Sat, 24 Aug 2002 04:48:13 +0000
Subject: check packet length before fetching ESP crypto checksum.

Obtained from:	KAME
MFC after:	2 days
---
 sys/netinet6/esp_input.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c
index 1ad8dcd..b038f6c 100644
--- a/sys/netinet6/esp_input.c
+++ b/sys/netinet6/esp_input.c
@@ -217,6 +217,10 @@ esp4_input(m, off)
 	if (!sumalgo)
 		goto noreplaycheck;
 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
+	if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
+		ipsecstat.in_inval++;
+		goto bad;
+	}
 	if (AH_MAXSUMSIZE < siz) {
 		ipseclog((LOG_DEBUG,
 		    "internal error: AH_MAXSUMSIZE must be larger than %lu\n",
@@ -572,6 +576,10 @@ esp6_input(mp, offp, proto)
 	if (!sumalgo)
 		goto noreplaycheck;
 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
+	if (m->m_pkthdr.len < off + ESPMAXLEN + siz) {
+		ipsecstat.in_inval++;
+		goto bad;
+	}
 	if (AH_MAXSUMSIZE < siz) {
 		ipseclog((LOG_DEBUG,
 		    "internal error: AH_MAXSUMSIZE must be larger than %lu\n",
-- 
cgit v1.1