From 6c3155b1a1f1aba29de45db6edb08c7e94f87c83 Mon Sep 17 00:00:00 2001 From: Hakan Olsson Date: Thu, 7 Nov 2002 15:16:40 +0000 Subject: Check for invalid payload lengths also for NULL enc. markus@, angelos@ ok. --- sys/netinet/ip_esp.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 371aabc669b..8260f6569a9 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.75 2002/07/30 19:09:36 jason Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.76 2002/11/07 15:16:39 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -274,13 +274,20 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) else alen = 0; + plen = m->m_pkthdr.len - (skip + hlen + alen); + if (plen <= 0) { + DPRINTF(("esp_input: invalid payload length\n")); + espstat.esps_badilen++; + m_freem(m); + return EINVAL; + } + if (espx) { /* * Verify payload length is multiple of encryption algorithm * block size. */ - plen = m->m_pkthdr.len - (skip + hlen + alen); - if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { + if (plen & (espx->blocksize - 1)) { DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); espstat.esps_badilen++; m_freem(m); -- cgit v1.2.3