diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-17 19:52:25 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-17 19:52:25 +0000 |
| commit | f7f6def1892546d1385e6387041df289af6349e6 (patch) | |
| tree | bcc18b157bcba0d21787e90e9a9e74ba6a3dccfd | |
| parent | 8ae7dba658fe236241b10b722d132f73bb118538 (diff) | |
Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net and
mfranz@cisco.com for finding the problem).
| -rw-r--r-- | sys/netinet/ipsec_input.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index e031db48bd5..bcd4b5d9e85 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.30 2000/07/11 21:11:08 millert Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.31 2000/09/17 19:52:24 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -131,6 +131,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) return EOPNOTSUPP; } + if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) + { + m_freem(m); + IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops); + return EINVAL; + } + /* Retrieve the SPI from the relevant IPsec header */ if (sproto == IPPROTO_ESP) m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); |