more strict sanity check for ESP tail

Obtained from: KAME
svn path=/head/; revision=121335
2003-10-22 10:44:59 +00:00 · 2003-10-22 10:44:59 +00:00 · b18521ee3b · 2020-12-20 02:59:44 +00:00
commit b18521ee3b
parent e229cfa536
1 changed files with 1 additions and 1 deletions
--- a/sys/netinet6/esp_input.c
+++ b/sys/netinet6/esp_input.c
@ -332,7 +332,7 @@ esp4_input(m, off)
 	taillen = esptail.esp_padlen + sizeof(esptail);

 	if (m->m_pkthdr.len < taillen ||
-	    m->m_pkthdr.len - taillen < hlen) {	/* ? */
+	    m->m_pkthdr.len - taillen < off + esplen + ivlen + sizeof(esptail)) {
 		ipseclog((LOG_WARNING,
 		    "bad pad length in IPv4 ESP input: %s %s\n",
 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));