ipsec-92.4.tar.gz

[apple/ipsec.git] / ipsec-tools / racoon / isakmp_frag.c

diff --git a/ipsec-tools/racoon/isakmp_frag.c b/ipsec-tools/racoon/isakmp_frag.c
index 64228239e9484478975df488bf4c6b09e1732c35..af19b91a286057ef72b6cf04b3d5d7e6a675a443 100644 (file)
--- a/ipsec-tools/racoon/isakmp_frag.c
+++ b/ipsec-tools/racoon/isakmp_frag.c
@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
         * frag->len is the frag payload data plus the frag payload header,
         * whose size is sizeof(*frag) 
         */
-       if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+       if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+               ntohs(frag->len) < sizeof(*frag) + 1) {
                plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
                return -1;
        }