When cslip gets an uncompressed packet, it attempts to save off the TCP/IP
header for use in decompressing subsequant packets. If cslip gets garbage (such as what happens when there is a port speed mismatch or modem line noise), it will occasionally mistake the packet as a valid uncompressed packet. When it tries to save off the header, it doesn't bother to check for the validity of the header length and will happily clobber not only the cslip data structure, but parts of other kernel memory that happens to follow it...causing, ahem, undesired behavior.
This commit is contained in:
parent
97bc0f09cf
commit
06fc5af99c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=15185
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)slcompress.c 8.2 (Berkeley) 4/16/94
|
||||
* $Id: slcompress.c,v 1.5 1995/05/30 08:08:33 rgrimes Exp $
|
||||
* $Id: slcompress.c,v 1.6 1995/10/31 19:22:31 peter Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -471,9 +471,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
|
||||
cs = &comp->rstate[comp->last_recv = ip->ip_p];
|
||||
comp->flags &=~ SLF_TOSS;
|
||||
ip->ip_p = IPPROTO_TCP;
|
||||
hlen = ip->ip_hl;
|
||||
hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
|
||||
hlen <<= 2;
|
||||
/*
|
||||
* Calculate the size of the TCP/IP header and make sure that
|
||||
* we don't overflow the space we have available for it.
|
||||
*/
|
||||
hlen = ip->ip_hl << 2;
|
||||
if (hlen + sizeof(struct tcphdr) > buflen)
|
||||
goto bad;
|
||||
hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
|
||||
if (hlen > MAX_HDR)
|
||||
goto bad;
|
||||
BCOPY(ip, &cs->cs_ip, hlen);
|
||||
cs->cs_hlen = hlen;
|
||||
INCR(sls_uncompressedin)
|
||||
|
Loading…
Reference in New Issue
Block a user