o Pass our negotiated number of VJ slots into

sl_uncompress_tcp() and drop packets with slot numbers that are out of range. o Drop packets that want to use a slot that still has an IP header length of 0 (ie, the requested slot number is bogus again). Without this code, if the other side mis-behaves (and sends us garbage slot numbers), we happily ``adjust'' a memset(..., '\0', ...) TCP/IP header and promptly cr*p all over the stack before returning.... quickly followed by a SIGBUS. Dodgy ISP used by, and help locating the problem from: jmz Problem also seen by: Mourad de Riche <omnibus@image.dk> There's still a link lockup after this happens, but my bets are on the other side (who has already started sending rubbish) being to blame.
svn path=/head/; revision=36960
1998-06-14 00:56:13 +00:00 · 1998-06-14 00:56:13 +00:00 · 42c57c8682 · 2020-12-20 02:59:44 +00:00
commit 42c57c8682
parent 396ffb2e6b
3 changed files with 15 additions and 10 deletions
--- a/usr.sbin/ppp/slcompress.c
+++ b/usr.sbin/ppp/slcompress.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: slcompress.c,v 1.15.2.11 1998/05/01 19:25:59 brian Exp $
+ * $Id: slcompress.c,v 1.16 1998/05/21 21:48:27 brian Exp $
 *
 *	Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989:
 *	- Initial distribution.
@ -402,8 +402,8 @@ sl_compress_tcp(struct mbuf * m,


 int
-sl_uncompress_tcp(u_char ** bufp, int len, u_int type,
-		  struct slcompress *comp, struct slstat *slstat)
+sl_uncompress_tcp(u_char ** bufp, int len, u_int type, struct slcompress *comp,
+                  struct slstat *slstat, int max_state)
 {
  register u_char *cp;
  register u_int hlen, changes;
@ -415,7 +415,7 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type,

  case TYPE_UNCOMPRESSED_TCP:
    ip = (struct ip *) * bufp;
-    if (ip->ip_p >= MAX_VJ_STATES)
+    if (ip->ip_p > max_state)
      goto bad;
    cs = &comp->rstate[comp->last_recv = ip->ip_p];
    comp->flags &= ~SLF_TOSS;
@ -455,8 +455,9 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type,
     * Make sure the state index is in range, then grab the state. If we have
     * a good state index, clear the 'discard' flag.
     */
-    if (*cp >= MAX_VJ_STATES || comp->last_recv == 255)
+    if (*cp > max_state || comp->last_recv == 255) {
      goto bad;
+    }

    comp->flags &= ~SLF_TOSS;
    comp->last_recv = *cp++;
@ -474,6 +475,8 @@ sl_uncompress_tcp(u_char ** bufp, int len, u_int type,
  }
  cs = &comp->rstate[comp->last_recv];
  hlen = cs->cs_ip.ip_hl << 2;
+  if (hlen == 0)
+    goto bad;    /* We've been pointed at a not-yet-used slot ! */
  th = (struct tcphdr *) & ((u_char *) & cs->cs_ip)[hlen];
  th->th_sum = htons((*cp << 8) | cp[1]);
  cp += 2;
--- a/usr.sbin/ppp/slcompress.h
+++ b/usr.sbin/ppp/slcompress.h
@ -16,7 +16,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: slcompress.h,v 1.10.2.5 1998/05/01 19:26:00 brian Exp $
+ * $Id: slcompress.h,v 1.11 1998/05/21 21:48:30 brian Exp $
 *
 *	Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989:
 *	- Initial distribution.
@ -145,5 +145,5 @@ extern void sl_compress_init(struct slcompress *, int);
 extern u_char sl_compress_tcp(struct mbuf *, struct ip *, struct slcompress *,
                              struct slstat *, int);
 extern int sl_uncompress_tcp(u_char **, int, u_int, struct slcompress *,
-                             struct slstat *);
+                             struct slstat *, int);
 extern int sl_Show(struct cmdargs const *);
--- a/usr.sbin/ppp/vjcomp.c
+++ b/usr.sbin/ppp/vjcomp.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: vjcomp.c,v 1.16.2.17 1998/05/04 03:00:09 brian Exp $
+ * $Id: vjcomp.c,v 1.17 1998/05/21 21:49:06 brian Exp $
 *
 *  TODO:
 */
@ -106,7 +106,8 @@ VjUncompressTcp(struct ipcp *ipcp, struct mbuf * bp, u_char type)
     * space for uncompression job.
     */
    bufp = MBUF_CTOP(bp);
-    len = sl_uncompress_tcp(&bufp, len, type, &ipcp->vj.cslc, &ipcp->vj.slstat);
+    len = sl_uncompress_tcp(&bufp, len, type, &ipcp->vj.cslc, &ipcp->vj.slstat,
+                            (ipcp->my_compproto >> 8) & 255);
    if (len <= 0) {
      mbuf_Free(bp);
      bp = NULL;
@ -124,7 +125,8 @@ VjUncompressTcp(struct ipcp *ipcp, struct mbuf * bp, u_char type)
  rlen = len;
  bufp = work + MAX_HDR;
  bp = mbuf_Read(bp, bufp, rlen);
-  len = sl_uncompress_tcp(&bufp, olen, type, &ipcp->vj.cslc, &ipcp->vj.slstat);
+  len = sl_uncompress_tcp(&bufp, olen, type, &ipcp->vj.cslc, &ipcp->vj.slstat,
+                          (ipcp->my_compproto >> 8) & 255);
  if (len <= 0) {
    mbuf_Free(bp);
    return NULL;