diff options
author | brian <brian@FreeBSD.org> | 1998-06-14 00:56:13 +0000 |
---|---|---|
committer | brian <brian@FreeBSD.org> | 1998-06-14 00:56:13 +0000 |
commit | 0e5f5ba899a4b90b622d4db2235bb06e2d592f50 (patch) | |
tree | 2eaeda49f72ff7ed7decb33c137a7f8ef7ab69eb /usr.sbin/ppp/slcompress.c | |
parent | 84ee66217aaf229f2db221388ca5b4bb44a24eb2 (diff) | |
download | FreeBSD-src-0e5f5ba899a4b90b622d4db2235bb06e2d592f50.zip FreeBSD-src-0e5f5ba899a4b90b622d4db2235bb06e2d592f50.tar.gz |
o Pass our negotiated number of VJ slots into
sl_uncompress_tcp() and drop packets with
slot numbers that are out of range.
o Drop packets that want to use a slot that still
has an IP header length of 0 (ie, the requested
slot number is bogus again).
Without this code, if the other side mis-behaves (and
sends us garbage slot numbers), we happily ``adjust''
a memset(..., '\0', ...) TCP/IP header and promptly
cr*p all over the stack before returning.... quickly
followed by a SIGBUS.
Dodgy ISP used by, and help locating the problem from: jmz
Problem also seen by: Mourad de Riche <omnibus@image.dk>
There's still a link lockup after this happens, but my
bets are on the other side (who has already started sending
rubbish) being to blame.
Diffstat (limited to 'usr.sbin/ppp/slcompress.c')
-rw-r--r-- | usr.sbin/ppp/slcompress.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/usr.sbin/ppp/slcompress.c b/usr.sbin/ppp/slcompress.c index df9c8d6c..bd6ca4e 100644 --- a/usr.sbin/ppp/slcompress.c +++ b/usr.sbin/ppp/slcompress.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: slcompress.c,v 1.15.2.11 1998/05/01 19:25:59 brian Exp $ + * $Id: slcompress.c,v 1.16 1998/05/21 21:48:27 brian Exp $ * * Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989: * - Initial distribution. @@ -402,8 +402,8 @@ uncompressed: int -sl_uncompress_tcp(u_char ** bufp, int len, u_int type, - struct slcompress *comp, struct slstat *slstat) +sl_uncompress_tcp(u_char ** bufp, int len, u_int type, struct slcompress *comp, + struct slstat *slstat, int max_state) { register u_char *cp; register u_int hlen, changes; @@ -415,7 +415,7 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, case TYPE_UNCOMPRESSED_TCP: ip = (struct ip *) * bufp; - if (ip->ip_p >= MAX_VJ_STATES) + if (ip->ip_p > max_state) goto bad; cs = &comp->rstate[comp->last_recv = ip->ip_p]; comp->flags &= ~SLF_TOSS; @@ -455,8 +455,9 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, * Make sure the state index is in range, then grab the state. If we have * a good state index, clear the 'discard' flag. */ - if (*cp >= MAX_VJ_STATES || comp->last_recv == 255) + if (*cp > max_state || comp->last_recv == 255) { goto bad; + } comp->flags &= ~SLF_TOSS; comp->last_recv = *cp++; @@ -474,6 +475,8 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, } cs = &comp->rstate[comp->last_recv]; hlen = cs->cs_ip.ip_hl << 2; + if (hlen == 0) + goto bad; /* We've been pointed at a not-yet-used slot ! */ th = (struct tcphdr *) & ((u_char *) & cs->cs_ip)[hlen]; th->th_sum = htons((*cp << 8) | cp[1]); cp += 2; |