Fix this damn mbuf with a negative m_len. It turns
out to be a problem with VJ header compression. davidg spotted this in usr.sbin/ppp/slcompress.c a while ago, but I believe gave the wrong reasons - it's too easy to reproduce ! The only scenario that I've been able to reproduce the problem under is when m_len is *exactly* 40 ! So go figure ! PR: 3749 Submitted elsewhere by: davidg Obtained from: usr.sbin/ppp/slcompress.c
This commit is contained in:
brian
parent
2a7aa47170
commit
f6675497ed
@ -70,7 +70,7 @@
|
||||
* Paul Mackerras (paulus@cs.anu.edu.au).
|
||||
*/
|
||||
|
||||
/* $Id: ppp_tty.c,v 1.19 1997/06/09 04:13:48 brian Exp $ */
|
||||
/* $Id: ppp_tty.c,v 1.20 1997/06/18 02:50:40 brian Exp $ */
|
||||
/* from Id: ppp_tty.c,v 1.3 1995/08/16 01:36:40 paulus Exp */
|
||||
/* from if_sl.c,v 1.11 84/10/04 12:54:47 rick Exp */
|
||||
|
||||
@ -642,10 +642,6 @@ pppstart(tp)
|
||||
|
||||
s = spltty(); /* in case.. do not want netisrs to preempt us */
|
||||
|
||||
m = sc->sc_outm;
|
||||
if (m && m->m_len < 0)
|
||||
MFREE(m, sc->sc_outm);
|
||||
|
||||
idle = 0;
|
||||
while (CCOUNT(&tp->t_outq) < PPP_HIWAT) {
|
||||
/*
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)slcompress.c 8.2 (Berkeley) 4/16/94
|
||||
* $Id$
|
||||
* $Id: slcompress.c,v 1.9 1997/02/22 09:41:16 peter Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -217,6 +217,8 @@ sl_compress_tcp(m, ip, comp, compress_cid)
|
||||
comp->last_cs = lcs;
|
||||
hlen += th->th_off;
|
||||
hlen <<= 2;
|
||||
if (hlen > m->m_len)
|
||||
return TYPE_IP;
|
||||
goto uncompressed;
|
||||
|
||||
found:
|
||||
@ -247,6 +249,8 @@ sl_compress_tcp(m, ip, comp, compress_cid)
|
||||
deltaS = hlen;
|
||||
hlen += th->th_off;
|
||||
hlen <<= 2;
|
||||
if (hlen > m->m_len)
|
||||
return TYPE_IP;
|
||||
|
||||
if (((u_short *)ip)[0] != ((u_short *)&cs->cs_ip)[0] ||
|
||||
((u_short *)ip)[3] != ((u_short *)&cs->cs_ip)[3] ||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user