diff options
| author | Hakan Olsson <ho@cvs.openbsd.org> | 2002-11-07 15:16:40 +0000 |
|---|---|---|
| committer | Hakan Olsson <ho@cvs.openbsd.org> | 2002-11-07 15:16:40 +0000 |
| commit | 6c3155b1a1f1aba29de45db6edb08c7e94f87c83 (patch) | |
| tree | 593c45981cb6d82dcf365c7f8d2082c8ca2c72f2 | |
| parent | b466b0fac26918371761aa5bfbf7e16c92a1c4d1 (diff) | |
Check for invalid payload lengths also for NULL enc. markus@, angelos@ ok.
| -rw-r--r-- | sys/netinet/ip_esp.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 371aabc669b..8260f6569a9 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.75 2002/07/30 19:09:36 jason Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.76 2002/11/07 15:16:39 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -274,13 +274,20 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) else alen = 0; + plen = m->m_pkthdr.len - (skip + hlen + alen); + if (plen <= 0) { + DPRINTF(("esp_input: invalid payload length\n")); + espstat.esps_badilen++; + m_freem(m); + return EINVAL; + } + if (espx) { /* * Verify payload length is multiple of encryption algorithm * block size. */ - plen = m->m_pkthdr.len - (skip + hlen + alen); - if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { + if (plen & (espx->blocksize - 1)) { DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); espstat.esps_badilen++; m_freem(m); |