When cslip gets an uncompressed packet, it attempts to save off the TCP/IP

header for use in decompressing subsequant packets. If cslip gets garbage
(such as what happens when there is a port speed mismatch or modem line
noise), it will occasionally mistake the packet as a valid uncompressed
packet. When it tries to save off the header, it doesn't bother to check
for the validity of the header length and will happily clobber not only
the cslip data structure, but parts of other kernel memory that happens
to follow it...causing, ahem, undesired behavior.

1 files changed, 11 insertions, 4 deletions

diff --git a/sys/net/slcompress.c b/sys/net/slcompress.c
index 9aadd4b..fe82ce7 100644
--- a/sys/net/slcompress.c
+++ b/sys/net/slcompress.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)slcompress.c	8.2 (Berkeley) 4/16/94
- * $Id: slcompress.c,v 1.5 1995/05/30 08:08:33 rgrimes Exp $
+ * $Id: slcompress.c,v 1.6 1995/10/31 19:22:31 peter Exp $
  */
 
 /*
@@ -471,9 +471,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)