From 0e5f5ba899a4b90b622d4db2235bb06e2d592f50 Mon Sep 17 00:00:00 2001 From: brian Date: Sun, 14 Jun 1998 00:56:13 +0000 Subject: o Pass our negotiated number of VJ slots into sl_uncompress_tcp() and drop packets with slot numbers that are out of range. o Drop packets that want to use a slot that still has an IP header length of 0 (ie, the requested slot number is bogus again). Without this code, if the other side mis-behaves (and sends us garbage slot numbers), we happily ``adjust'' a memset(..., '\0', ...) TCP/IP header and promptly cr*p all over the stack before returning.... quickly followed by a SIGBUS. Dodgy ISP used by, and help locating the problem from: jmz Problem also seen by: Mourad de Riche There's still a link lockup after this happens, but my bets are on the other side (who has already started sending rubbish) being to blame. --- usr.sbin/ppp/slcompress.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'usr.sbin/ppp/slcompress.c') diff --git a/usr.sbin/ppp/slcompress.c b/usr.sbin/ppp/slcompress.c index df9c8d6c..bd6ca4e 100644 --- a/usr.sbin/ppp/slcompress.c +++ b/usr.sbin/ppp/slcompress.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: slcompress.c,v 1.15.2.11 1998/05/01 19:25:59 brian Exp $ + * $Id: slcompress.c,v 1.16 1998/05/21 21:48:27 brian Exp $ * * Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989: * - Initial distribution. @@ -402,8 +402,8 @@ uncompressed: int -sl_uncompress_tcp(u_char ** bufp, int len, u_int type, - struct slcompress *comp, struct slstat *slstat) +sl_uncompress_tcp(u_char ** bufp, int len, u_int type, struct slcompress *comp, + struct slstat *slstat, int max_state) { register u_char *cp; register u_int hlen, changes; @@ -415,7 +415,7 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, case TYPE_UNCOMPRESSED_TCP: ip = (struct ip *) * bufp; - if (ip->ip_p >= MAX_VJ_STATES) + if (ip->ip_p > max_state) goto bad; cs = &comp->rstate[comp->last_recv = ip->ip_p]; comp->flags &= ~SLF_TOSS; @@ -455,8 +455,9 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, * Make sure the state index is in range, then grab the state. If we have * a good state index, clear the 'discard' flag. */ - if (*cp >= MAX_VJ_STATES || comp->last_recv == 255) + if (*cp > max_state || comp->last_recv == 255) { goto bad; + } comp->flags &= ~SLF_TOSS; comp->last_recv = *cp++; @@ -474,6 +475,8 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type, } cs = &comp->rstate[comp->last_recv]; hlen = cs->cs_ip.ip_hl << 2; + if (hlen == 0) + goto bad; /* We've been pointed at a not-yet-used slot ! */ th = (struct tcphdr *) & ((u_char *) & cs->cs_ip)[hlen]; th->th_sum = htons((*cp << 8) | cp[1]); cp += 2; -- cgit v1.1