X-Git-Url: http://git.ozlabs.org/?a=blobdiff_plain;f=linux%2Fmppe%2Fppp_mppe_compress.c;h=2e98e180be2dc8e09cc973cf3192697d645211ff;hb=f0b99c0189004a7ee11005f8dd1218b1c97610e7;hp=efdb5d15e95af072a6f8b8a1a571760c8fdd2cb1;hpb=ca1af9f74dc0f333c80eb2fa10a4b80306dc4040;p=ppp.git

diff --git a/linux/mppe/ppp_mppe_compress.c b/linux/mppe/ppp_mppe_compress.c
index efdb5d1..2e98e18 100644
--- a/linux/mppe/ppp_mppe_compress.c
+++ b/linux/mppe/ppp_mppe_compress.c
@@ -1,5 +1,5 @@
 /*
- *  ==FILEVERSION 20020320==
+ *  ==FILEVERSION 20020521==
  *
  * ppp_mppe_compress.c - interface MPPE to the PPP code.
  * This version is for use with Linux kernel 2.2.19+ and 2.4.x.
@@ -62,13 +62,8 @@ typedef struct ppp_mppe_state {
 #define MPPE_CCOUNT(p) ((((p)[4] & 0x0f) << 8) + (p)[5])
 #define MPPE_CCOUNT_SPACE 0x1000	/* The size of the ccount space */
 
-/*
- * MPPE overhead/packet.
- * Note that we use this differently than other compressors.
- */
 #define MPPE_OVHD	2		/* MPPE overhead/packet */
-/* Max bogon factor we will tolerate */
-#define SANITY_MAX	1600
+#define SANITY_MAX	1600		/* Max bogon factor we will tolerate */
 
 static void	GetNewKeyFromSHA __P((unsigned char *StartKey,
 				      unsigned char *SessionKey,
@@ -236,17 +231,17 @@ mppe_init(void *arg, unsigned char *options, int optlen, int unit, int debug,
 
     if (debug) {
 	int i;
-	char mkey[sizeof(state->master_key) * 3 + 1];
-	char skey[sizeof(state->session_key) * 3 + 1];
+	char mkey[sizeof(state->master_key) * 2 + 1];
+	char skey[sizeof(state->session_key) * 2 + 1];
 
 	printk(KERN_DEBUG "%s[%d]: initialized with %d-bit %s mode\n", debugstr,
 	       unit, (state->keylen == 16)? 128: 40,
 	       (state->stateful)? "stateful": "stateless");
 
 	for (i = 0; i < sizeof(state->master_key); i++)
-	    sprintf(mkey + i * 2, "%.2x ", state->master_key[i]);
+	    sprintf(mkey + i * 2, "%.2x", state->master_key[i]);
 	for (i = 0; i < sizeof(state->session_key); i++)
-	    sprintf(skey + i * 2, "%.2x ", state->session_key[i]);
+	    sprintf(skey + i * 2, "%.2x", state->session_key[i]);
 	printk(KERN_DEBUG "%s[%d]: keys: master: %s initial session: %s\n",
 	       debugstr, unit, mkey, skey);
     }
@@ -417,9 +412,14 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
 		   state->unit, isize);
 	return DECOMP_ERROR;
     }
-    /* Strange ... our output size is always LESS than the input size. */
-    /* assert(osize >= isize - MPPE_OVHD - 2); */
 
+    /* Make sure we have enough room to decrypt the packet. */
+    if (osize < isize - MPPE_OVHD - 2) {
+	printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! "
+	       "(have: %d need: %d)\n", state->unit,
+	       osize, isize - MPPE_OVHD - 2);
+	return DECOMP_ERROR;
+    }
     osize = isize - MPPE_OVHD - 2;
 
     ccount = MPPE_CCOUNT(ibuf);
@@ -513,11 +513,11 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
      * comes from the decrypted data.
      */
     obuf[0] = PPP_ADDRESS(ibuf);	/* +1 */
-    obuf[1] = PPP_CONTROL(ibuf);	/* +2 */
+    obuf[1] = PPP_CONTROL(ibuf);	/* +1 */
     obuf  += 2;
     ibuf  += PPP_HDRLEN + MPPE_OVHD;
     isize -= PPP_HDRLEN + MPPE_OVHD;	/* -6 */
-					/* net: -4 */
+					/* net osize: isize-4 */
 
     /* And finally, decrypt the packet. */
     arcfour_decrypt(&state->arcfour_context, ibuf, isize, obuf);