fix counting bug

[ppp.git] / modules / vjcompress.c

diff --git a/modules/vjcompress.c b/modules/vjcompress.c
index 73a59d4986a61c816560d66de3a372116142f40d..66d3402886c22cdd81dc27b7996a81e1e7a150c6 100644 (file)
--- a/modules/vjcompress.c
+++ b/modules/vjcompress.c
@@ -26,16 +26,16 @@
  */
 
 /*
- * This version is used under SunOS 4.x, DEC Alpha OSF/1, AIX 4.x,
+ * This version is used under SunOS 4.x, Digital UNIX, AIX 4.x,
  * and SVR4 systems including Solaris 2.
  *
- * $Id: vjcompress.c,v 1.6 1995/05/29 06:33:55 paulus Exp $
+ * $Id: vjcompress.c,v 1.9 1996/06/26 00:53:17 paulus Exp $
  */
 
 #include <sys/types.h>
 #include <sys/param.h>
 
-#ifdef __svr4__
+#ifdef SVR4
 #ifndef __GNUC__
 #include <sys/byteorder.h>     /* for ntohl, etc. */
 #else
@@ -49,7 +49,7 @@
 #endif
 #include <netinet/in.h>
 
-#ifdef __aix4__
+#ifdef AIX4
 #define _NETINET_IN_SYSTM_H_
 typedef u_long  n_long;
 #else
@@ -430,8 +430,9 @@ vj_uncompress_err(comp)
  * "Uncompress" a packet of type TYPE_UNCOMPRESSED_TCP.
  */
 int
-vj_uncompress_uncomp(buf, comp)
+vj_uncompress_uncomp(buf, buflen, comp)
     u_char *buf;
+    int buflen;
     struct vjcompress *comp;
 {
     register u_int hlen;
@@ -439,7 +440,12 @@ vj_uncompress_uncomp(buf, comp)
     register struct ip *ip;
 
     ip = (struct ip *) buf;
-    if (ip->ip_p >= MAX_STATES) {
+    hlen = getip_hl(*ip) << 2;
+    if (ip->ip_p >= MAX_STATES
+       || hlen + sizeof(struct tcphdr) > buflen
+       || (hlen += getth_off(*((struct tcphdr *)&((char *)ip)[hlen])) << 2)
+           > buflen
+       || hlen > MAX_HDR) {
        comp->flags |= VJF_TOSS;
        INCR(vjs_errorin);
        return (0);
@@ -447,9 +453,6 @@ vj_uncompress_uncomp(buf, comp)
     cs = &comp->rstate[comp->last_recv = ip->ip_p];
     comp->flags &=~ VJF_TOSS;
     ip->ip_p = IPPROTO_TCP;
-    hlen = getip_hl(*ip);
-    hlen += getth_off(*((struct tcphdr *)&((int *)ip)[hlen]));
-    hlen <<= 2;
     BCOPY(ip, &cs->cs_ip, hlen);
     cs->cs_hlen = hlen;
     INCR(vjs_uncompressedin);