Module Name: src Committed By: tteras Date: Wed Apr 22 11:24:20 UTC 2009
Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c Log Message: >From Neil Kettle: Fix a possible null pointer dereference in fragmentation code. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.4 Sat Sep 9 16:22:09 2006 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c Wed Apr 22 11:24:20 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_frag.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */ +/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ @@ -199,7 +199,8 @@ * frag->len is the frag payload data plus the frag payload header, * whose size is sizeof(*frag) */ - if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) { + if (msg->l < sizeof(*isakmp) + ntohs(frag->len) || + ntohs(frag->len) < sizeof(*frag) + 1) { plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n"); return -1; }