Module Name: src
Committed By: tteras
Date: Wed Apr 22 11:24:20 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c
Log Message:
>From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.4 Sat Sep 9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c Wed Apr 22 11:24:20 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_frag.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
+/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
@@ -199,7 +199,8 @@
* frag->len is the frag payload data plus the frag payload header,
* whose size is sizeof(*frag)
*/
- if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+ if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+ ntohs(frag->len) < sizeof(*frag) + 1) {
plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
return -1;
}
