From 3bb3b0463e6e34ae835b34c3d890e5597d157967 Mon Sep 17 00:00:00 2001 From: Brian Somers Date: Sun, 22 Jun 1997 02:19:53 +0000 Subject: [PATCH] Fix this damn mbuf with a negative m_len. It turns out to be a problem with VJ header compression. davidg spotted this in usr.sbin/ppp/slcompress.c a while ago, but I believe gave the wrong reasons - it's too easy to reproduce ! The only scenario that I've been able to reproduce the problem under is when m_len is *exactly* 40 ! So go figure ! PR: 3749 Submitted elsewhere by: davidg Obtained from: usr.sbin/ppp/slcompress.c --- sys/net/ppp_tty.c | 6 +----- sys/net/slcompress.c | 6 +++++- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sys/net/ppp_tty.c b/sys/net/ppp_tty.c index 7735edf864b7..422a360a0f1f 100644 --- a/sys/net/ppp_tty.c +++ b/sys/net/ppp_tty.c @@ -70,7 +70,7 @@ * Paul Mackerras (paulus@cs.anu.edu.au). */ -/* $Id: ppp_tty.c,v 1.19 1997/06/09 04:13:48 brian Exp $ */ +/* $Id: ppp_tty.c,v 1.20 1997/06/18 02:50:40 brian Exp $ */ /* from Id: ppp_tty.c,v 1.3 1995/08/16 01:36:40 paulus Exp */ /* from if_sl.c,v 1.11 84/10/04 12:54:47 rick Exp */ @@ -642,10 +642,6 @@ pppstart(tp) s = spltty(); /* in case.. do not want netisrs to preempt us */ - m = sc->sc_outm; - if (m && m->m_len < 0) - MFREE(m, sc->sc_outm); - idle = 0; while (CCOUNT(&tp->t_outq) < PPP_HIWAT) { /* diff --git a/sys/net/slcompress.c b/sys/net/slcompress.c index 839100cd8c24..cc7152aae493 100644 --- a/sys/net/slcompress.c +++ b/sys/net/slcompress.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)slcompress.c 8.2 (Berkeley) 4/16/94 - * $Id$ + * $Id: slcompress.c,v 1.9 1997/02/22 09:41:16 peter Exp $ */ /* @@ -217,6 +217,8 @@ sl_compress_tcp(m, ip, comp, compress_cid) comp->last_cs = lcs; hlen += th->th_off; hlen <<= 2; + if (hlen > m->m_len) + return TYPE_IP; goto uncompressed; found: @@ -247,6 +249,8 @@ sl_compress_tcp(m, ip, comp, compress_cid) deltaS = hlen; hlen += th->th_off; hlen <<= 2; + if (hlen > m->m_len) + return TYPE_IP; if (((u_short *)ip)[0] != ((u_short *)&cs->cs_ip)[0] || ((u_short *)ip)[3] != ((u_short *)&cs->cs_ip)[3] ||