--- openswan-2.6.21/lib/libopenswan/asn1.c	2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.22/lib/libopenswan/asn1.c	2009-06-22 22:53:08.000000000 -0400
@@ -11,7 +11,6 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: asn1.c,v 1.10 2005/08/05 17:33:27 mcr Exp $
  */
 
 #include <stdlib.h>
@@ -107,6 +106,14 @@
 	len = 256*len + *blob->ptr++;
 	blob->len--;
     }
+    if (len > blob->len)
+    {
+	DBG(DBG_PARSING,
+	    DBG_log("length is larger than remaining blob size")
+	)
+	return ASN1_INVALID_LENGTH;
+    }
+
     return len;
 }
 
@@ -237,13 +244,21 @@
 	int tz_hour, tz_min;
 
 	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+	if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+	{
+	    return 0; /* error in positive timezone offset format */
+	}
+
 	tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
     }
     else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
     {
 	int tz_hour, tz_min;
 
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+	if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+	{
+	     return 0; /* error in negative timezone offset format */
+	}
 	tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
     }
     else
@@ -255,14 +270,22 @@
 	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 						     "%4d%2d%2d%2d%2d";
 
-	sscanf((char *)utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-				     &t.tm_hour, &t.tm_min);
+	if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+					 &t.tm_hour, &t.tm_min) != 5)
+	{
+	    return 0; /* error in time st [yy]yymmddhhmm time format */
+	}
+
     }
 
     /* is there a seconds field? */
     if ((eot - (char *)utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
     {
-	sscanf(eot-2, "%2d", &t.tm_sec);
+	if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+	{
+	    return 0; /* error in ss seconds field format */
+	}
+
     }
     else
     {
@@ -283,7 +306,11 @@
 	t.tm_year += 100;
     }
 
-    /* representation of month 0..11*/
+    if (t.tm_mon < 1 || t.tm_mon > 12)
+    {
+	return 0; /* error in month format */
+    }
+    /* representation of month 0..11 in struct tm */
     t.tm_mon--;
 
     /* set daylight saving time to off */