From 13754692f73ef65ec90b14533d8268b438c64f88 Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Wed, 31 Aug 1994 23:47:43 +0000 Subject: [PATCH] fix null deref and packet length check (off by 1) --- modules/bsd-comp.c | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/modules/bsd-comp.c b/modules/bsd-comp.c index a985278..78fceba 100644 --- a/modules/bsd-comp.c +++ b/modules/bsd-comp.c @@ -492,20 +492,22 @@ bsd_compress(state, mret, mp, slen, maxolen) wptr = cp_end = NULL; olen = 0; - /* Copy the PPP header over, changing the protocol */ - if (wptr) { - *wptr++ = rptr[0]; /* assumes the ppp header is */ - *wptr++ = rptr[1]; /* all in one mblk */ - *wptr++ = 0; /* change the protocol */ - *wptr++ = PPP_COMP; - } - - /* install the 3-byte sequence number */ + /* + * Copy the PPP header over, changing the protocol, + * and install the 3-byte sequence number. + */ slen += db->seqno - PPP_HDRLEN + 1; db->seqno = slen; - *wptr++ = slen>>16; - *wptr++ = slen>>8; - *wptr++ = slen; + if (wptr) { + wptr[0] = rptr[0]; /* assumes the ppp header is */ + wptr[1] = rptr[1]; /* all in one mblk */ + wptr[2] = 0; /* change the protocol */ + wptr[3] = PPP_COMP; + wptr[4] = slen>>16; + wptr[5] = slen>>8; + wptr[6] = slen; + wptr += PPP_HDRLEN + BSD_OVHD; + } /* start with the protocol byte */ ent = rptr[3]; @@ -767,10 +769,13 @@ bsd_decompress(state, cmsg, hdroff) rptr += 3; len = cmsg->b_wptr - rptr; - /* check the sequence number and give up if the length is nonsense */ + /* + * Check the sequence number and give up if the length is nonsense. + * The check is against mru+1 because we compress one byte of protocol. + */ explen = (seq - db->seqno) & 0xffffff; db->seqno = seq; - if (explen > db->mru || explen < 1) { + if (explen > db->mru + 1 || explen < 1) { if (db->debug) printf("bsd_decomp%d: bad length 0x%x\n", db->unit, explen); return 0; -- 2.39.2