X-Git-Url: http://git.ozlabs.org/?a=blobdiff_plain;ds=inline;f=linux%2Fmppe%2Fppp_mppe_compress.c;fp=linux%2Fmppe%2Fppp_mppe_compress.c;h=2e98e180be2dc8e09cc973cf3192697d645211ff;hb=f0b99c0189004a7ee11005f8dd1218b1c97610e7;hp=c652b6907c6e6974138c173ac47db809116e3cd7;hpb=d1de5b3aba4bb773730b1d4420523c278e7561cb;p=ppp.git

diff --git a/linux/mppe/ppp_mppe_compress.c b/linux/mppe/ppp_mppe_compress.c
index c652b69..2e98e18 100644
--- a/linux/mppe/ppp_mppe_compress.c
+++ b/linux/mppe/ppp_mppe_compress.c
@@ -412,9 +412,14 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
 		   state->unit, isize);
 	return DECOMP_ERROR;
     }
-    /* Strange ... our output size is always LESS than the input size. */
-    /* assert(osize >= isize - MPPE_OVHD - 2); */
 
+    /* Make sure we have enough room to decrypt the packet. */
+    if (osize < isize - MPPE_OVHD - 2) {
+	printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! "
+	       "(have: %d need: %d)\n", state->unit,
+	       osize, isize - MPPE_OVHD - 2);
+	return DECOMP_ERROR;
+    }
     osize = isize - MPPE_OVHD - 2;
 
     ccount = MPPE_CCOUNT(ibuf);
@@ -508,11 +513,11 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
      * comes from the decrypted data.
      */
     obuf[0] = PPP_ADDRESS(ibuf);	/* +1 */
-    obuf[1] = PPP_CONTROL(ibuf);	/* +2 */
+    obuf[1] = PPP_CONTROL(ibuf);	/* +1 */
     obuf  += 2;
     ibuf  += PPP_HDRLEN + MPPE_OVHD;
     isize -= PPP_HDRLEN + MPPE_OVHD;	/* -6 */
-					/* net: -4 */
+					/* net osize: isize-4 */
 
     /* And finally, decrypt the packet. */
     arcfour_decrypt(&state->arcfour_context, ibuf, isize, obuf);