X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/d1e348cfd503b08e7d34b7683d23aae209af0a71..476121220b14176dcbf5f70f47b9ef8e38f8b389:/ipsec-tools/racoon/isakmp_frag.c

diff --git a/ipsec-tools/racoon/isakmp_frag.c b/ipsec-tools/racoon/isakmp_frag.c
index 6422823..af19b91 100644
--- a/ipsec-tools/racoon/isakmp_frag.c
+++ b/ipsec-tools/racoon/isakmp_frag.c
@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
 	 * frag->len is the frag payload data plus the frag payload header,
 	 * whose size is sizeof(*frag) 
 	 */
-	if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+	if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+		ntohs(frag->len) < sizeof(*frag) + 1) {
 		plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
 		return -1;
 	}