diff options
-rw-r--r-- | usr.sbin/ppp/slcompress.c | 13 | ||||
-rw-r--r-- | usr.sbin/ppp/slcompress.h | 4 | ||||
-rw-r--r-- | usr.sbin/ppp/vjcomp.c | 8 |
3 files changed, 15 insertions, 10 deletions
diff --git a/usr.sbin/ppp/slcompress.c b/usr.sbin/ppp/slcompress.c index df9c8d6c..bd6ca4e 100644 --- a/usr.sbin/ppp/slcompress.c +++ b/usr.sbin/ppp/slcompress.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: slcompress.c,v 1.15.2.11 1998/05/01 19:25:59 brian Exp $ + * $Id: slcompress.c,v 1.16 1998/05/21 21:48:27 brian Exp $ * * Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989: * - Initial distribution. @@ -402,8 +402,8 @@ uncompressed: int -sl_uncompress_tcp(u_char ** bufp, int len, u_int type, - struct slcompress *comp, struct slstat *slstat) +sl_uncompress_tcp(u_char ** bufp, int len, u_int type, struct slcompress *comp, + struct slstat *slstat, int max_state) { register u_char *cp; register u_int hlen, changes; @@ -415,7 +415,7 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, case TYPE_UNCOMPRESSED_TCP: ip = (struct ip *) * bufp; - if (ip->ip_p >= MAX_VJ_STATES) + if (ip->ip_p > max_state) goto bad; cs = &comp->rstate[comp->last_recv = ip->ip_p]; comp->flags &= ~SLF_TOSS; @@ -455,8 +455,9 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, * Make sure the state index is in range, then grab the state. If we have * a good state index, clear the 'discard' flag. */ - if (*cp >= MAX_VJ_STATES || comp->last_recv == 255) + if (*cp > max_state || comp->last_recv == 255) { goto bad; + } comp->flags &= ~SLF_TOSS; comp->last_recv = *cp++; @@ -474,6 +475,8 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, } cs = &comp->rstate[comp->last_recv]; hlen = cs->cs_ip.ip_hl << 2; + if (hlen == 0) + goto bad; /* We've been pointed at a not-yet-used slot ! */ th = (struct tcphdr *) & ((u_char *) & cs->cs_ip)[hlen]; th->th_sum = htons((*cp << 8) | cp[1]); cp += 2; diff --git a/usr.sbin/ppp/slcompress.h b/usr.sbin/ppp/slcompress.h index ebe7f1b..6af7905 100644 --- a/usr.sbin/ppp/slcompress.h +++ b/usr.sbin/ppp/slcompress.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: slcompress.h,v 1.10.2.5 1998/05/01 19:26:00 brian Exp $ + * $Id: slcompress.h,v 1.11 1998/05/21 21:48:30 brian Exp $ * * Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989: * - Initial distribution. @@ -145,5 +145,5 @@ extern void sl_compress_init(struct slcompress *, int); extern u_char sl_compress_tcp(struct mbuf *, struct ip *, struct slcompress *, struct slstat *, int); extern int sl_uncompress_tcp(u_char **, int, u_int, struct slcompress *, - struct slstat *); + struct slstat *, int); extern int sl_Show(struct cmdargs const *); diff --git a/usr.sbin/ppp/vjcomp.c b/usr.sbin/ppp/vjcomp.c index 851ea22..615ffa9 100644 --- a/usr.sbin/ppp/vjcomp.c +++ b/usr.sbin/ppp/vjcomp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: vjcomp.c,v 1.16.2.17 1998/05/04 03:00:09 brian Exp $ + * $Id: vjcomp.c,v 1.17 1998/05/21 21:49:06 brian Exp $ * * TODO: */ @@ -106,7 +106,8 @@ VjUncompressTcp(struct ipcp *ipcp, struct mbuf * bp, u_char type) * space for uncompression job. */ bufp = MBUF_CTOP(bp); - len = sl_uncompress_tcp(&bufp, len, type, &ipcp->vj.cslc, &ipcp->vj.slstat); + len = sl_uncompress_tcp(&bufp, len, type, &ipcp->vj.cslc, &ipcp->vj.slstat, + (ipcp->my_compproto >> 8) & 255); if (len <= 0) { mbuf_Free(bp); bp = NULL; @@ -124,7 +125,8 @@ VjUncompressTcp(struct ipcp *ipcp, struct mbuf * bp, u_char type) rlen = len; bufp = work + MAX_HDR; bp = mbuf_Read(bp, bufp, rlen); - len = sl_uncompress_tcp(&bufp, olen, type, &ipcp->vj.cslc, &ipcp->vj.slstat); + len = sl_uncompress_tcp(&bufp, olen, type, &ipcp->vj.cslc, &ipcp->vj.slstat, + (ipcp->my_compproto >> 8) & 255); if (len <= 0) { mbuf_Free(bp); return NULL; |