new demand-dial method with backup_tty;

[ppp.git] / netbsd-1.1 / slcompress.c

diff --git a/netbsd-1.1/slcompress.c b/netbsd-1.1/slcompress.c
index 7a0e24e43408f0df52c24f808bcf410824627abb..c46c57f7f14a075a99f5cc9fe6326535ca4fbce2 100644 (file)
--- a/netbsd-1.1/slcompress.c
+++ b/netbsd-1.1/slcompress.c
@@ -1,4 +1,4 @@
-/*     $Id: slcompress.c,v 1.2 1996/04/04 04:17:44 paulus Exp $        */
+/*     $Id: slcompress.c,v 1.3 1996/05/24 07:04:47 paulus Exp $        */

 
 /*
  * Copyright (c) 1989, 1993, 1994
 
 /*
  * Copyright (c) 1989, 1993, 1994


@@ -477,9 +477,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
                cs = &comp->rstate[comp->last_recv = ip->ip_p];
                comp->flags &=~ SLF_TOSS;
                ip->ip_p = IPPROTO_TCP;
                cs = &comp->rstate[comp->last_recv = ip->ip_p];
                comp->flags &=~ SLF_TOSS;
                ip->ip_p = IPPROTO_TCP;

-               hlen = ip->ip_hl;
-               hlen += ((struct tcphdr *)&((int32_t *)ip)[hlen])->th_off;
-               hlen <<= 2;
+               /*
+                * Calculate the size of the TCP/IP header and make sure that
+                * we don't overflow the space we have available for it.
+                */
+               hlen = ip->ip_hl << 2;
+               if (hlen + sizeof(struct tcphdr) > buflen)
+                       goto bad;
+               hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+               if (hlen > MAX_HDR || hlen > buflen)
+                       goto bad;

                BCOPY(ip, &cs->cs_ip, hlen);
                cs->cs_hlen = hlen;
                INCR(sls_uncompressedin)
                BCOPY(ip, &cs->cs_ip, hlen);
                cs->cs_hlen = hlen;
                INCR(sls_uncompressedin)