diff options
author | brian <brian@FreeBSD.org> | 1998-06-14 00:56:13 +0000 |
---|---|---|
committer | brian <brian@FreeBSD.org> | 1998-06-14 00:56:13 +0000 |
commit | 0e5f5ba899a4b90b622d4db2235bb06e2d592f50 (patch) | |
tree | 2eaeda49f72ff7ed7decb33c137a7f8ef7ab69eb /usr.sbin/ppp/vjcomp.c | |
parent | 84ee66217aaf229f2db221388ca5b4bb44a24eb2 (diff) | |
download | FreeBSD-src-0e5f5ba899a4b90b622d4db2235bb06e2d592f50.zip FreeBSD-src-0e5f5ba899a4b90b622d4db2235bb06e2d592f50.tar.gz |
o Pass our negotiated number of VJ slots into
sl_uncompress_tcp() and drop packets with
slot numbers that are out of range.
o Drop packets that want to use a slot that still
has an IP header length of 0 (ie, the requested
slot number is bogus again).
Without this code, if the other side mis-behaves (and
sends us garbage slot numbers), we happily ``adjust''
a memset(..., '\0', ...) TCP/IP header and promptly
cr*p all over the stack before returning.... quickly
followed by a SIGBUS.
Dodgy ISP used by, and help locating the problem from: jmz
Problem also seen by: Mourad de Riche <omnibus@image.dk>
There's still a link lockup after this happens, but my
bets are on the other side (who has already started sending
rubbish) being to blame.
Diffstat (limited to 'usr.sbin/ppp/vjcomp.c')
-rw-r--r-- | usr.sbin/ppp/vjcomp.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/usr.sbin/ppp/vjcomp.c b/usr.sbin/ppp/vjcomp.c index 851ea22..615ffa9 100644 --- a/usr.sbin/ppp/vjcomp.c +++ b/usr.sbin/ppp/vjcomp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: vjcomp.c,v 1.16.2.17 1998/05/04 03:00:09 brian Exp $ + * $Id: vjcomp.c,v 1.17 1998/05/21 21:49:06 brian Exp $ * * TODO: */ @@ -106,7 +106,8 @@ VjUncompressTcp(struct ipcp *ipcp, struct mbuf * bp, u_char type) * space for uncompression job. */ bufp = MBUF_CTOP(bp); - len = sl_uncompress_tcp(&bufp, len, type, &ipcp->vj.cslc, &ipcp->vj.slstat); + len = sl_uncompress_tcp(&bufp, len, type, &ipcp->vj.cslc, &ipcp->vj.slstat, + (ipcp->my_compproto >> 8) & 255); if (len <= 0) { mbuf_Free(bp); bp = NULL; @@ -124,7 +125,8 @@ VjUncompressTcp(struct ipcp *ipcp, struct mbuf * bp, u_char type) rlen = len; bufp = work + MAX_HDR; bp = mbuf_Read(bp, bufp, rlen); - len = sl_uncompress_tcp(&bufp, olen, type, &ipcp->vj.cslc, &ipcp->vj.slstat); + len = sl_uncompress_tcp(&bufp, olen, type, &ipcp->vj.cslc, &ipcp->vj.slstat, + (ipcp->my_compproto >> 8) & 255); if (len <= 0) { mbuf_Free(bp); return NULL; |