X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=freebsd-2.0%2Fpppcompress.c;h=383ca5854aa66b13b5b13d2547b4d22dc4a25d71;hp=9967eb784e59484d13b36ae6c45f98813d57f755;hb=53e3b02e731858f92270828e02ae620bbdff09e3;hpb=f21bd17076cc5ff4d7be91a33ea9a855ac5a9cd9

diff --git a/freebsd-2.0/pppcompress.c b/freebsd-2.0/pppcompress.c
index 9967eb7..383ca58 100644
--- a/freebsd-2.0/pppcompress.c
+++ b/freebsd-2.0/pppcompress.c
@@ -40,7 +40,7 @@
  * Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989:
  *    - Initial distribution.
  *
- *	$Id: pppcompress.c,v 1.1 1994/12/15 22:27:17 paulus Exp $
+ *	$Id: pppcompress.c,v 1.2 1996/05/24 07:04:14 paulus Exp $
  */
   
 #include <sys/types.h>
@@ -471,9 +471,16 @@ vj_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR || hlen > buflen)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)