diff options
| author | Hajimu UMEMOTO <ume@FreeBSD.org> | 2002-08-24 04:48:13 +0000 |
|---|---|---|
| committer | Hajimu UMEMOTO <ume@FreeBSD.org> | 2002-08-24 04:48:13 +0000 |
| commit | 0731a74b0805625a3029d90f06e23c89c4f980f9 (patch) | |
| tree | bd04dc063e58be7ab5ab239c4f1448007678c480 | |
| parent | 79a19533fb9d3cfd56dff6ac3a208f36b4931456 (diff) | |
Notes
| -rw-r--r-- | sys/netinet6/esp_input.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c index 1ad8dcdc373a..b038f6c3826b 100644 --- a/sys/netinet6/esp_input.c +++ b/sys/netinet6/esp_input.c @@ -217,6 +217,10 @@ esp4_input(m, off) if (!sumalgo) goto noreplaycheck; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); + if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { + ipsecstat.in_inval++; + goto bad; + } if (AH_MAXSUMSIZE < siz) { ipseclog((LOG_DEBUG, "internal error: AH_MAXSUMSIZE must be larger than %lu\n", @@ -572,6 +576,10 @@ esp6_input(mp, offp, proto) if (!sumalgo) goto noreplaycheck; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); + if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { + ipsecstat.in_inval++; + goto bad; + } if (AH_MAXSUMSIZE < siz) { ipseclog((LOG_DEBUG, "internal error: AH_MAXSUMSIZE must be larger than %lu\n", |