From 5ec34c37c493a08c0f8e1e80f9293fe2693e32c6 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@samba.org>
Date: Thu, 22 Feb 2001 03:10:06 +0000
Subject: [PATCH] Because of a bug in zlib, restrict deflate parameter to 9..15
 for now. Thanks to James Carlson for this fix.

---
 pppd/ccp.c  | 33 +++++++++++++++++++++++++--------
 pppd/pppd.8 |  4 ++--
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/pppd/ccp.c b/pppd/ccp.c
index 7cfd692..3a5fc97 100644
--- a/pppd/ccp.c
+++ b/pppd/ccp.c
@@ -25,7 +25,7 @@
  * OR MODIFICATIONS.
  */
 
-#define RCSID	"$Id: ccp.c,v 1.30 2000/04/15 01:27:11 masputra Exp $"
+#define RCSID	"$Id: ccp.c,v 1.31 2001/02/22 03:10:06 paulus Exp $"
 
 #include <stdlib.h>
 #include <string.h>
@@ -37,6 +37,15 @@
 
 static const char rcsid[] = RCSID;
 
+/*
+ * Unfortunately there is a bug in zlib which means that using a
+ * size of 8 (window size = 256) for Deflate compression will cause
+ * buffer overruns and kernel crashes in the deflate module.
+ * Until this is fixed we only accept sizes in the range 9 .. 15.
+ * Thanks to James Carlson for pointing this out.
+ */
+#define DEFLATE_MIN_WORKS	9
+
 /*
  * Command-line options.
  */
@@ -56,7 +65,7 @@ static option_t ccp_option_list[] = {
     { "-bsdcomp", o_bool, &ccp_wantoptions[0].bsd_compress,
       "don't allow BSD-Compress", OPT_A2COPY,
       &ccp_allowoptions[0].bsd_compress },
-    { "deflate", 1, (void *)setdeflate,
+    { "deflate", o_special, (void *)setdeflate,
       "request Deflate compression" },
     { "nodeflate", o_bool, &ccp_wantoptions[0].deflate,
       "don't allow Deflate compression", OPT_A2COPY,
@@ -234,6 +243,14 @@ setdeflate(argv)
 		     DEFLATE_MIN_SIZE, DEFLATE_MAX_SIZE);
 	return 0;
     }
+    if (rbits == DEFLATE_MIN_SIZE || abits == DEFLATE_MIN_SIZE) {
+	if (rbits == DEFLATE_MIN_SIZE)
+	    rbits = DEFLATE_MIN_WORKS;
+	if (abits == DEFLATE_MIN_SIZE)
+	    abits = DEFLATE_MIN_WORKS;
+	warn("deflate option value of %d changed to %d to avoid zlib bug",
+	     DEFLATE_MIN_SIZE, DEFLATE_MIN_WORKS);
+    }
     if (rbits > 0) {
 	ccp_wantoptions[0].deflate = 1;
 	ccp_wantoptions[0].deflate_size = rbits;
@@ -440,7 +457,7 @@ ccp_resetci(f)
 	if (go->deflate_correct) {
 	    opt_buf[0] = CI_DEFLATE;
 	    opt_buf[1] = CILEN_DEFLATE;
-	    opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_SIZE);
+	    opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_WORKS);
 	    opt_buf[3] = DEFLATE_CHK_SEQUENCE;
 	    if (ccp_test(f->unit, opt_buf, CILEN_DEFLATE, 0) <= 0)
 		go->deflate_correct = 0;
@@ -448,7 +465,7 @@ ccp_resetci(f)
 	if (go->deflate_draft) {
 	    opt_buf[0] = CI_DEFLATE_DRAFT;
 	    opt_buf[1] = CILEN_DEFLATE;
-	    opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_SIZE);
+	    opt_buf[2] = DEFLATE_MAKE_OPT(DEFLATE_MIN_WORKS);
 	    opt_buf[3] = DEFLATE_CHK_SEQUENCE;
 	    if (ccp_test(f->unit, opt_buf, CILEN_DEFLATE, 0) <= 0)
 		go->deflate_draft = 0;
@@ -514,7 +531,7 @@ ccp_addci(f, p, lenp)
 		p += CILEN_DEFLATE;
 		break;
 	    }
-	    if (res < 0 || go->deflate_size <= DEFLATE_MIN_SIZE) {
+	    if (res < 0 || go->deflate_size <= DEFLATE_MIN_WORKS) {
 		go->deflate = 0;
 		break;
 	    }
@@ -675,7 +692,7 @@ ccp_nakci(f, p, len)
 	 * Stop asking for Deflate if we don't understand his suggestion.
 	 */
 	if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL
-	    || DEFLATE_SIZE(p[2]) < DEFLATE_MIN_SIZE
+	    || DEFLATE_SIZE(p[2]) < DEFLATE_MIN_WORKS
 	    || p[3] != DEFLATE_CHK_SEQUENCE)
 	    try.deflate = 0;
 	else if (DEFLATE_SIZE(p[2]) < go->deflate_size)
@@ -842,7 +859,7 @@ ccp_reqci(f, p, lenp, dont_nak)
 		ho->deflate_size = nb = DEFLATE_SIZE(p[2]);
 		if (DEFLATE_METHOD(p[2]) != DEFLATE_METHOD_VAL
 		    || p[3] != DEFLATE_CHK_SEQUENCE
-		    || nb > ao->deflate_size || nb < DEFLATE_MIN_SIZE) {
+		    || nb > ao->deflate_size || nb < DEFLATE_MIN_WORKS) {
 		    newret = CONFNAK;
 		    if (!dont_nak) {
 			p[2] = DEFLATE_MAKE_OPT(ao->deflate_size);
@@ -863,7 +880,7 @@ ccp_reqci(f, p, lenp, dont_nak)
 			res = ccp_test(f->unit, p, CILEN_DEFLATE, 1);
 			if (res > 0)
 			    break;		/* it's OK now */
-			if (res < 0 || nb == DEFLATE_MIN_SIZE || dont_nak) {
+			if (res < 0 || nb == DEFLATE_MIN_WORKS || dont_nak) {
 			    newret = CONFREJ;
 			    p[2] = DEFLATE_MAKE_OPT(ho->deflate_size);
 			    break;
diff --git a/pppd/pppd.8 b/pppd/pppd.8
index 023352c..14939c9 100644
--- a/pppd/pppd.8
+++ b/pppd/pppd.8
@@ -1,5 +1,5 @@
 .\" manual page [] for pppd 2.4
-.\" $Id: pppd.8,v 1.54 2000/12/27 23:24:13 paulus Exp $
+.\" $Id: pppd.8,v 1.55 2001/02/22 03:10:05 paulus Exp $
 .\" SH section heading
 .\" SS subsection heading
 .\" LP paragraph
@@ -265,7 +265,7 @@ Request that the peer compress packets that it sends, using the
 Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and
 agree to compress packets sent to the peer with a maximum window size
 of \fI2**nt\fR bytes.  If \fInt\fR is not specified, it defaults to
-the value given for \fInr\fR.  Values in the range 8 to 15 may be used
+the value given for \fInr\fR.  Values in the range 9 to 15 may be used
 for \fInr\fR and \fInt\fR; larger values give better compression but
 consume more kernel memory for compression dictionaries.
 Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
-- 
2.39.2