From f0b99c0189004a7ee11005f8dd1218b1c97610e7 Mon Sep 17 00:00:00 2001
From: Frank Cusack <fcusack@fcusack.com>
Date: Thu, 30 Jan 2003 11:13:47 +0000
Subject: [PATCH] verify enough buffer space to decompress a packet

---
 linux/mppe/ppp_mppe_compress.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/linux/mppe/ppp_mppe_compress.c b/linux/mppe/ppp_mppe_compress.c
index c652b69..2e98e18 100644
--- a/linux/mppe/ppp_mppe_compress.c
+++ b/linux/mppe/ppp_mppe_compress.c
@@ -412,9 +412,14 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
 		   state->unit, isize);
 	return DECOMP_ERROR;
     }
-    /* Strange ... our output size is always LESS than the input size. */
-    /* assert(osize >= isize - MPPE_OVHD - 2); */
 
+    /* Make sure we have enough room to decrypt the packet. */
+    if (osize < isize - MPPE_OVHD - 2) {
+	printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! "
+	       "(have: %d need: %d)\n", state->unit,
+	       osize, isize - MPPE_OVHD - 2);
+	return DECOMP_ERROR;
+    }
     osize = isize - MPPE_OVHD - 2;
 
     ccount = MPPE_CCOUNT(ibuf);
@@ -508,11 +513,11 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf,
      * comes from the decrypted data.
      */
     obuf[0] = PPP_ADDRESS(ibuf);	/* +1 */
-    obuf[1] = PPP_CONTROL(ibuf);	/* +2 */
+    obuf[1] = PPP_CONTROL(ibuf);	/* +1 */
     obuf  += 2;
     ibuf  += PPP_HDRLEN + MPPE_OVHD;
     isize -= PPP_HDRLEN + MPPE_OVHD;	/* -6 */
-					/* net: -4 */
+					/* net osize: isize-4 */
 
     /* And finally, decrypt the packet. */
     arcfour_decrypt(&state->arcfour_context, ibuf, isize, obuf);
-- 
2.39.2