diff options
| -rw-r--r-- | sys/net/slcompress.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sys/net/slcompress.c b/sys/net/slcompress.c index 9aadd4b..fe82ce7 100644 --- a/sys/net/slcompress.c +++ b/sys/net/slcompress.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)slcompress.c 8.2 (Berkeley) 4/16/94 - * $Id: slcompress.c,v 1.5 1995/05/30 08:08:33 rgrimes Exp $ + * $Id: slcompress.c,v 1.6 1995/10/31 19:22:31 peter Exp $ */ /* @@ -471,9 +471,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp) cs = &comp->rstate[comp->last_recv = ip->ip_p]; comp->flags &=~ SLF_TOSS; ip->ip_p = IPPROTO_TCP; - hlen = ip->ip_hl; - hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off; - hlen <<= 2; + /* + * Calculate the size of the TCP/IP header and make sure that + * we don't overflow the space we have available for it. + */ + hlen = ip->ip_hl << 2; + if (hlen + sizeof(struct tcphdr) > buflen) + goto bad; + hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2; + if (hlen > MAX_HDR) + goto bad; BCOPY(ip, &cs->cs_ip, hlen); cs->cs_hlen = hlen; INCR(sls_uncompressedin) |
