Apply by doing cd /usr/src/sys/netinet patch -p0 < ipsec.patch And then rebuild your kernel. Index: sys/netinet/ip_esp_new.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_esp_new.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- ip_esp_new.c 1998/03/07 21:30:24 1.17 +++ ip_esp_new.c 1998/05/05 08:54:48 1.18 @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_new.c,v 1.17 1998/03/07 21:30:24 provos Exp $ */ +/* $OpenBSD: ip_esp_new.c,v 1.18 1998/05/05 08:54:48 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -555,7 +555,7 @@ plen = m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen - alen; - if (plen & (blks - 1)) + if ((plen & (blks - 1)) || (plen <= 0)) { #ifdef ENCDEBUG if (encdebug) @@ -765,6 +765,16 @@ if ((xd->edx_flags & ESP_NEW_FLAG_NPADDING) == 0) { + if (blk[6] + 2 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen) + { +#ifdef ENCDEBUG + if (encdebug) + printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); +#endif /* ENCDEBUG */ + espstat.esps_badilen++; + m_freem(m); + return NULL; + } if ((blk[6] != blk[5]) && (blk[6] != 0)) { if (encdebug) @@ -777,6 +787,16 @@ } else { + if (blk[6] + 1 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen) + { +#ifdef ENCDEBUG + if (encdebug) + printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); +#endif /* ENCDEBUG */ + espstat.esps_badilen++; + m_freem(m); + return NULL; + } if (blk[6] == 0) { if (encdebug) Index: sys/netinet/ip_esp_old.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_esp_old.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- ip_esp_old.c 1998/03/07 21:30:26 1.15 +++ ip_esp_old.c 1998/05/05 08:54:50 1.16 @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_old.c,v 1.15 1998/03/07 21:30:26 provos Exp $ */ +/* $OpenBSD: ip_esp_old.c,v 1.16 1998/05/05 08:54:50 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -344,7 +344,7 @@ /* Skip the IP header, IP options, SPI and IV */ plen = m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) - xd->edx_ivlen; - if (plen & (blks - 1)) + if ((plen & (blks - 1)) || (plen <= 0)) { #ifdef ENCDEBUG if (encdebug) @@ -497,6 +497,18 @@ * We cannot verify the decryption here (as in ip_esp_new.c), since * the padding may be random. */ + + if (blk[6] + 2 > m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) - + xd->edx_ivlen) + { +#ifdef ENCDEBUG + if (encdebug) + printf("esp_old_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); +#endif /* ENCDEBUG */ + espstat.esps_badilen++; + m_freem(m); + return NULL; + } m_adj(m, -blk[6] - 2); m_adj(m, 4 + xd->edx_ivlen);