File fix_null_dereference_in_isakmp_frag.c.diff of Package ipsec-tools

Acked-by: Jiri Bohac <jbohac@suse.cz>
References: bnc#498859
Patch-mainline: 0.7.2

===================================================================
RCS file: /ftp/cvs/cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c,v
retrieving revision 1.4
retrieving revision 1.4.6.1
diff -u -p -r1.4 -r1.4.6.1
--- a/src/racoon/isakmp_frag.c	2006/09/09 16:22:09	1.4
+++ b/src/racoon/isakmp_frag.c	2009/04/22 11:25:35	1.4.6.1
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.4.6.1 2009/04/22 11:25:35 tteras Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
 	 * frag->len is the frag payload data plus the frag payload header,
 	 * whose size is sizeof(*frag) 
 	 */
-	if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+	if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+	    ntohs(frag->len) < sizeof(*frag) + 1) {
 		plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
 		return -1;
 	}