Apply by doing
	cd /usr/src/sys/netinet
	patch -p0 < ipsec.patch

And then rebuild your kernel.

Index: sys/netinet/ip_esp_new.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp_new.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ip_esp_new.c	1998/03/07 21:30:24	1.17
+++ ip_esp_new.c	1998/05/05 08:54:48	1.18
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp_new.c,v 1.17 1998/03/07 21:30:24 provos Exp $	*/
+/*	$OpenBSD: ip_esp_new.c,v 1.18 1998/05/05 08:54:48 provos Exp $	*/
 
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
@@ -555,7 +555,7 @@
     plen = m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - 
 	   xd->edx_ivlen - alen;
 
-    if (plen & (blks - 1))
+    if ((plen & (blks - 1)) || (plen <= 0))
     {
 #ifdef ENCDEBUG
 	if (encdebug)
@@ -765,6 +765,16 @@
 
     if ((xd->edx_flags & ESP_NEW_FLAG_NPADDING) == 0)
     {
+        if (blk[6] + 2 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen)
+        {
+#ifdef ENCDEBUG
+	    if (encdebug)
+	      printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */	    
+	    espstat.esps_badilen++;
+	    m_freem(m);
+	    return NULL;
+	}
         if ((blk[6] != blk[5]) && (blk[6] != 0))
 	{
 	    if (encdebug)
@@ -777,6 +787,16 @@
     }
     else
     {
+        if (blk[6] + 1 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen)
+        {
+#ifdef ENCDEBUG
+	    if (encdebug)
+	      printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */	    
+	    espstat.esps_badilen++;
+	    m_freem(m);
+	    return NULL;
+	}
 	if (blk[6] == 0)
 	{
 	    if (encdebug)
Index: sys/netinet/ip_esp_old.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp_old.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- ip_esp_old.c	1998/03/07 21:30:26	1.15
+++ ip_esp_old.c	1998/05/05 08:54:50	1.16
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp_old.c,v 1.15 1998/03/07 21:30:26 provos Exp $	*/
+/*	$OpenBSD: ip_esp_old.c,v 1.16 1998/05/05 08:54:50 provos Exp $	*/
 
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
@@ -344,7 +344,7 @@
     /* Skip the IP header, IP options, SPI and IV */
     plen = m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) -
 	   xd->edx_ivlen;
-    if (plen & (blks - 1))
+    if ((plen & (blks - 1)) || (plen <= 0))
     {
 #ifdef ENCDEBUG
 	if (encdebug)
@@ -497,6 +497,18 @@
      * We cannot verify the decryption here (as in ip_esp_new.c), since
      * the padding may be random.
      */
+    
+    if (blk[6] + 2 > m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) -
+	xd->edx_ivlen)
+    {
+#ifdef ENCDEBUG
+        if (encdebug)
+	  printf("esp_old_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+	espstat.esps_badilen++;
+	m_freem(m);
+	return NULL;
+    }
 
     m_adj(m, -blk[6] - 2);
     m_adj(m, 4 + xd->edx_ivlen);