When cslip gets an uncompressed packet, it attempts to save off the TCP/IP

header for use in decompressing subsequant packets. If cslip gets garbage (such as what happens when there is a port speed mismatch or modem line noise), it will occasionally mistake the packet as a valid uncompressed packet. When it tries to save off the header, it doesn't bother to check for the validity of the header length and will happily clobber not only the cslip data structure, but parts of other kernel memory that happens to follow it...causing, ahem, undesired behavior.
svn path=/head/; revision=15185
1996-04-11 06:46:24 +00:00 · 1996-04-11 06:46:24 +00:00 · 06fc5af99c · 2020-12-20 02:59:44 +00:00
commit 06fc5af99c
parent 97bc0f09cf
1 changed files with 11 additions and 4 deletions
--- a/sys/net/slcompress.c
+++ b/sys/net/slcompress.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)slcompress.c	8.2 (Berkeley) 4/16/94
- * $Id: slcompress.c,v 1.5 1995/05/30 08:08:33 rgrimes Exp $
+ * $Id: slcompress.c,v 1.6 1995/10/31 19:22:31 peter Exp $
 */

 /*
@ -471,9 +471,16 @@ sl_uncompress_tcp_core(buf, buflen, total_len, type, comp, hdrp, hlenp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
-		hlen += ((struct tcphdr *)&((int *)ip)[hlen])->th_off;
-		hlen <<= 2;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		 */
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > buflen)
+			goto bad;
+		hlen += ((struct tcphdr *)&((char *)ip)[hlen])->th_off << 2;
+		if (hlen > MAX_HDR)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_hlen = hlen;
 		INCR(sls_uncompressedin)