Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers

Upstream-Status: Pending

Add checking for invalid pointers, or it will crash racoon.

Signed-off-by: Ming Liu <ming.liu@windriver.com>
---
 ipsec_doi.c    |    5 +++--
 isakmp_cfg.c   |    7 +++++++
 isakmp_quick.c |    6 ++++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
--- a/src/racoon/ipsec_doi.c
+++ b/src/racoon/ipsec_doi.c
@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact )
 
 	/* handle wildcard IDs */
 
-	if (idt == NULL || ids == NULL)
-	{
+	if (idt == NULL || ids == NULL ||
+	    idt->v == NULL || idt->l == 0 ||
+	    ids->v == NULL || ids->l == 0) {
 		if( !exact )
 		{
 			plog(LLV_DEBUG, LOCATION, NULL,
diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid)
 		return NULL;
 	}
 
+	if (iph1->ivm == NULL || iph1->ivm->iv == NULL ||
+	    iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) {
+		plog(LLV_ERROR, LOCATION, NULL,
+		    "isakmp_cfg_newiv called with invalid IV management\n");
+		return NULL;
+	}
+
 	if (ics->ivm != NULL)
 		oakley_delivm(ics->ivm);
 
diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
--- a/src/racoon/isakmp_quick.c
+++ b/src/racoon/isakmp_quick.c
@@ -2243,8 +2243,10 @@ get_proposal_r(iph2)
 	int error = ISAKMP_INTERNAL_ERROR;
 
 	/* check the existence of ID payload */
-	if ((iph2->id_p != NULL && iph2->id == NULL)
-	 || (iph2->id_p == NULL && iph2->id != NULL)) {
+	if ((iph2->id_p != NULL &&
+	    (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) ||
+	    (iph2->id != NULL &&
+	    (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"Both IDs wasn't found in payload.\n");
 		return ISAKMP_NTYPE_INVALID_ID_INFORMATION;