X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=netbsd-1.1%2Fslcompress.c;h=c46c57f7f14a075a99f5cc9fe6326535ca4fbce2;hp=2029a13b6b9b5c491233253fa81a9ea9f8175cf4;hb=6e6bb3246106e680463c106d1ee6b773fc4f9c5a;hpb=7005827d79039deaac4646047fb08992e47d6b59

diff --git a/netbsd-1.1/slcompress.c b/netbsd-1.1/slcompress.c
index 2029a13..c46c57f 100644
--- a/netbsd-1.1/slcompress.c
+++ b/netbsd-1.1/slcompress.c
@@ -1,4 +1,4 @@
-/*	$Id: slcompress.c,v 1.1 1995/12/11 05:17:11 paulus Exp $	*/
+/*	$Id: slcompress.c,v 1.3 1996/05/24 07:04:47 paulus Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993, 1994
@@ -45,6 +45,7 @@
 
 #include <sys/param.h>
 #include <sys/mbuf.h>
+#include <sys/systm.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -73,9 +74,14 @@ sl_compress_init(comp, max_state)
 	register u_int i;
 	register struct cstate *tstate = comp->tstate;
 
-	if (max_state == -1)
+	if (max_state == -1) {
 		max_state = MAX_STATES - 1;
-	bzero((char *)comp, sizeof(*comp));
+		bzero((char *)comp, sizeof(*comp));
+	} else {
+		/* Don't reset statistics */
+		bzero((char *)comp->tstate, sizeof(comp->tstate));
+		bzero((char *)comp->rstate, sizeof(comp->rstate));
+	}
 	for (i = max_state; i > 0; --i) {
 		tstate[i].cs_id = i;
 		tstate[i].cs_next = &tstate[i - 1];
@@ -275,19 +281,22 @@ sl_compress_tcp(m, ip, comp, compress_cid)
 		 * with it. */
 		 goto uncompressed;
 
-	if (deltaS = (u_int16_t)(ntohs(th->th_win) - ntohs(oth->th_win))) {
+	deltaS = (u_int16_t)(ntohs(th->th_win) - ntohs(oth->th_win));
+	if (deltaS) {
 		ENCODE(deltaS);
 		changes |= NEW_W;
 	}
 
-	if (deltaA = ntohl(th->th_ack) - ntohl(oth->th_ack)) {
+	deltaA = ntohl(th->th_ack) - ntohl(oth->th_ack);
+	if (deltaA) {
 		if (deltaA > 0xffff)
 			goto uncompressed;
 		ENCODE(deltaA);
 		changes |= NEW_A;
 	}
 
-	if (deltaS = ntohl(th->th_seq) - ntohl(oth->th_seq)) {
+	deltaS = ntohl(th->th_seq) - ntohl(oth->th_seq);
+	if (deltaS) {
 		if (deltaS > 0xffff)
 			goto uncompressed;
 		ENCODE(deltaS);
@@ -422,10 +431,10 @@ sl_uncompress_tcp(bufp, len, type, comp)
 	 * header (we assume the packet we were handed has enough space to
 	 * prepend 128 bytes of header).
 	 */
-	if ((int)cp & 3) {
+	if ((long)cp & 3) {
 		if (len > 0)
-			(void) ovbcopy(cp, (caddr_t)((int)cp &~ 3), len);
-		cp = (u_char *)((int)cp &~ 3);
+			(void) ovbcopy(cp, (caddr_t)((long)cp &~ 3), len);
+		cp = (u_char *)((long)cp &~ 3);
 	}
 	cp -= hlen;
 	len += hlen;
@@ -468,9 +477,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int32_t *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR || hlen > buflen)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)