From Neil Kettle: Fix a possible null pointer dereference in fragmentation

code.
2009-04-22 11:24:20 +00:00 · 2009-04-22 11:24:20 +00:00 · 95b420bbeb
parent 2131e68dd1
commit 95b420bbeb
1 changed files with 3 additions and 2 deletions
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/

 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */

@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
 	 * frag->len is the frag payload data plus the frag payload header,
 	 * whose size is sizeof(*frag) 
 	 */
-	if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+	if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+	    ntohs(frag->len) < sizeof(*frag) + 1) {
 		plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
 		return -1;
 	}