commit e79565f95d894bba1ce55cc30dfedf64c4bfca9a
Author: Paul Wouters <paul@xelerance.com>
Date:   Wed Oct 5 09:33:08 2011 -0400

    * Fix for CVE-2011-3380 Openswan IKE invalid key length vulnerability
    
    The function parse_isakmp_sa_body() calls the function ike_alg_enc_ok()
    twice, once to verify the algorithm and once to verify the key length.
    In openswan 2.6.29, the second call was changed to pass NULL as the errp
    pointer. The function ike_alg_enc_ok() error handler improperly dereferences
    the errp pointer.
    
    When an ISAKMP message with an invalid KEY_LENGTH attribute is
    received, the error handling function crashes on a NULL pointer
    dereference. Openswan automatically restarts the pluto IKE daemon but
    all ISAKMP state is lost.  This vulnerability does NOT allow an attacker
    access to the system. This can be used to launch a denial of service
    attack by sending repeated IKE packets with the invalid key length
    attribute.

diff --git a/programs/pluto/ike_alg.c b/programs/pluto/ike_alg.c
index 78aea4a..08b8d82 100644
--- a/programs/pluto/ike_alg.c
+++ b/programs/pluto/ike_alg.c
@@ -115,7 +115,7 @@ bool ike_alg_enc_ok(int ealg, unsigned key_len,
 				ealg, key_len);
 		}
 	);
-	if (!ret && *errp)
+	if (!ret && errp)
 		*errp = ugh_buf;
 	return ret;
 }