X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=ultrix%2Fslcompress.c;h=971bdeec756053eedb894f54c5bfb0fd50f43309;hp=ecbdf3b81df80cc35fdea0bd525d62f078942636;hb=4f5d76ea5ee24f8833b5205d33a259d2c0c31cc6;hpb=03c27e8191546fde9b0821645d72e4234d5d47bc

diff --git a/ultrix/slcompress.c b/ultrix/slcompress.c
index ecbdf3b..971bdee 100644
--- a/ultrix/slcompress.c
+++ b/ultrix/slcompress.c
@@ -24,7 +24,7 @@
  * so that the entire packet being decompressed doesn't have
  * to be in contiguous memory (just the compressed header).
  *
- * $Id: slcompress.c,v 1.2 1994/11/28 01:42:00 paulus Exp $
+ * $Id: slcompress.c,v 1.4 1997/03/04 03:45:18 paulus Exp $
  */
 
 #include "../h/types.h"
@@ -416,7 +416,8 @@ sl_uncompress_tcp(bufp, len, type, comp)
 	struct slcompress *comp;
 {
 	u_char *hdr, *cp;
-	int hlen, vjlen;
+	int vjlen;
+	u_int hlen;
 
 	cp = bufp? *bufp: NULL;
 	vjlen = sl_uncompress_tcp_core(cp, len, len, type, comp, &hdr, &hlen);
@@ -482,9 +483,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR || hlen > buflen)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)