Apply by doing
cd /usr/src/sys/netinet
patch -p0 < ipsec.patch
And then rebuild your kernel.
Index: sys/netinet/ip_esp_new.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp_new.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ip_esp_new.c 1998/03/07 21:30:24 1.17
+++ ip_esp_new.c 1998/05/05 08:54:48 1.18
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_new.c,v 1.17 1998/03/07 21:30:24 provos Exp $ */
+/* $OpenBSD: ip_esp_new.c,v 1.18 1998/05/05 08:54:48 provos Exp $ */
/*
* The author of this code is John Ioannidis,
[email protected],
@@ -555,7 +555,7 @@
plen = m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) -
xd->edx_ivlen - alen;
- if (plen & (blks - 1))
+ if ((plen & (blks - 1)) || (plen <= 0))
{
#ifdef ENCDEBUG
if (encdebug)
@@ -765,6 +765,16 @@
if ((xd->edx_flags & ESP_NEW_FLAG_NPADDING) == 0)
{
+ if (blk[6] + 2 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen)
+ {
+#ifdef ENCDEBUG
+ if (encdebug)
+ printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+ espstat.esps_badilen++;
+ m_freem(m);
+ return NULL;
+ }
if ((blk[6] != blk[5]) && (blk[6] != 0))
{
if (encdebug)
@@ -777,6 +787,16 @@
}
else
{
+ if (blk[6] + 1 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen)
+ {
+#ifdef ENCDEBUG
+ if (encdebug)
+ printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+ espstat.esps_badilen++;
+ m_freem(m);
+ return NULL;
+ }
if (blk[6] == 0)
{
if (encdebug)
Index: sys/netinet/ip_esp_old.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp_old.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- ip_esp_old.c 1998/03/07 21:30:26 1.15
+++ ip_esp_old.c 1998/05/05 08:54:50 1.16
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_old.c,v 1.15 1998/03/07 21:30:26 provos Exp $ */
+/* $OpenBSD: ip_esp_old.c,v 1.16 1998/05/05 08:54:50 provos Exp $ */
/*
* The author of this code is John Ioannidis,
[email protected],
@@ -344,7 +344,7 @@
/* Skip the IP header, IP options, SPI and IV */
plen = m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) -
xd->edx_ivlen;
- if (plen & (blks - 1))
+ if ((plen & (blks - 1)) || (plen <= 0))
{
#ifdef ENCDEBUG
if (encdebug)
@@ -497,6 +497,18 @@
* We cannot verify the decryption here (as in ip_esp_new.c), since
* the padding may be random.
*/
+
+ if (blk[6] + 2 > m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) -
+ xd->edx_ivlen)
+ {
+#ifdef ENCDEBUG
+ if (encdebug)
+ printf("esp_old_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+ espstat.esps_badilen++;
+ m_freem(m);
+ return NULL;
+ }
m_adj(m, -blk[6] - 2);
m_adj(m, 4 + xd->edx_ivlen);
