* so that the entire packet being decompressed doesn't have
* to be in contiguous memory (just the compressed header).
*
- * $Id: slcompress.c,v 1.2 1994/11/28 01:42:00 paulus Exp $
+ * $Id: slcompress.c,v 1.4 1997/03/04 03:45:18 paulus Exp $
*/
#include "../h/types.h"
struct slcompress *comp;
{
u_char *hdr, *cp;
- int hlen, vjlen;
+ int vjlen;
+ u_int hlen;
cp = bufp? *bufp: NULL;
vjlen = sl_uncompress_tcp_core(cp, len, len, type, comp, &hdr, &hlen);
cs = &comp->rstate[comp->last_recv = ip->ip_p];
comp->flags &=~ SLF_TOSS;
ip->ip_p = IPPROTO_TCP;
- hlen = ip->ip_hl;
- hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
- hlen <<= 2;
+ /*
+ * Calculate the size of the TCP/IP header and make sure that
+ * we don't overflow the space we have available for it.
+ */
+ hlen = ip->ip_hl << 2;
+ if (hlen + sizeof(struct tcphdr) > buflen)
+ goto bad;
+ hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+ if (hlen > MAX_HDR || hlen > buflen)
+ goto bad;
BCOPY(ip, &cs->cs_ip, hlen);
cs->cs_hlen = hlen;
INCR(sls_uncompressedin)