check that VJ-unc header doesn't overflow buffer

[ppp.git] / ultrix / slcompress.c

diff --git a/ultrix/slcompress.c b/ultrix/slcompress.c
index ecbdf3b81df80cc35fdea0bd525d62f078942636..1cbdd3f79f7d5c052e523f55534abc2252a9f5cd 100644 (file)
--- a/ultrix/slcompress.c
+++ b/ultrix/slcompress.c
@@ -24,7 +24,7 @@
  * so that the entire packet being decompressed doesn't have
  * to be in contiguous memory (just the compressed header).
  *
- * $Id: slcompress.c,v 1.2 1994/11/28 01:42:00 paulus Exp $
+ * $Id: slcompress.c,v 1.3 1996/05/24 07:04:55 paulus Exp $
  */
 
 #include "../h/types.h"
@@ -482,9 +482,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
                cs = &comp->rstate[comp->last_recv = ip->ip_p];
                comp->flags &=~ SLF_TOSS;
                ip->ip_p = IPPROTO_TCP;
-               hlen = ip->ip_hl;
-               hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
-               hlen <<= 2;
+               /*
+                * Calculate the size of the TCP/IP header and make sure that
+                * we don't overflow the space we have available for it.
+                */
+               hlen = ip->ip_hl << 2;
+               if (hlen + sizeof(struct tcphdr) > buflen)
+                       goto bad;
+               hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+               if (hlen > MAX_HDR || hlen > buflen)
+                       goto bad;
                BCOPY(ip, &cs->cs_ip, hlen);
                cs->cs_hlen = hlen;
                INCR(sls_uncompressedin)