X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=ultrix%2Fslcompress.c;h=1cbdd3f79f7d5c052e523f55534abc2252a9f5cd;hp=ecbdf3b81df80cc35fdea0bd525d62f078942636;hb=e79f90482eb6f90c3f1fe7732258756d2ea0277f;hpb=03c27e8191546fde9b0821645d72e4234d5d47bc

diff --git a/ultrix/slcompress.c b/ultrix/slcompress.c
index ecbdf3b..1cbdd3f 100644
--- a/ultrix/slcompress.c
+++ b/ultrix/slcompress.c
@@ -24,7 +24,7 @@
  * so that the entire packet being decompressed doesn't have
  * to be in contiguous memory (just the compressed header).
  *
- * $Id: slcompress.c,v 1.2 1994/11/28 01:42:00 paulus Exp $
+ * $Id: slcompress.c,v 1.3 1996/05/24 07:04:55 paulus Exp $
  */
 
 #include "../h/types.h"
@@ -482,9 +482,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR || hlen > buflen)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)