Index: sys/netinet6/ipcomp_input.c
===================================================================
RCS file: /cvsroot/src/sys/netinet6/ipcomp_input.c,v
retrieving revision 1.36
diff -u -u -p -r1.36 ipcomp_input.c
--- sys/netinet6/ipcomp_input.c	5 May 2008 13:41:30 -0000	1.36
+++ sys/netinet6/ipcomp_input.c	29 Mar 2011 19:19:00 -0000
@@ -148,6 +148,13 @@ ipcomp4_input(m, va_alist)
 	ipcomp = mtod(md, struct ipcomp *);
 	ip = mtod(m, struct ip *);
 	nxt = ipcomp->comp_nxt;
+	if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) {
+		/* nested ipcomp - possible attack, not likely useful */
+		ipseclog((LOG_DEBUG, "IPv4 IPComp input: nested ipcomp "
+		    "(bailing)\n"));
+		IPSEC_STATINC(IPSEC_STAT_IN_INVAL);
+		goto fail;
+	}
 	hlen = ip->ip_hl << 2;
 
 	cpi = ntohs(ipcomp->comp_cpi);