From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.
This commit is contained in:
parent
2131e68dd1
commit
95b420bbeb
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: isakmp_frag.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
|
||||
/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
|
||||
|
||||
/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
|
||||
|
||||
|
@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
|
|||
* frag->len is the frag payload data plus the frag payload header,
|
||||
* whose size is sizeof(*frag)
|
||||
*/
|
||||
if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
|
||||
if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
|
||||
ntohs(frag->len) < sizeof(*frag) + 1) {
|
||||
plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
|
||||
return -1;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue