From 87a25418ac42fd29c868e7752ce5930feefbec5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=C3=A7i?= Date: Fri, 2 Apr 2010 18:15:23 +0000 Subject: [PATCH] Fix a logic error in ipsec code that extracts information from the packets. Reviewed by: bz, mlaier Approved by: mlaier(mentor) MFC after: 1 month --- sys/netipsec/ipsec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 4b552c8139c..5ee4bbb8f40 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -592,7 +592,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); /* NB: ip_input() flips it into host endian. XXX Need more checking. */ - if (m->m_len < sizeof (struct ip)) { + if (m->m_len >= sizeof (struct ip)) { struct ip *ip = mtod(m, struct ip *); if (ip->ip_off & (IP_MF | IP_OFFMASK)) goto done;