Bugfix based on a kernel fix:

When PPP gets an uncompressed packet, it attempts to save off the TCP/IP
header for use in decompressing subsequant packets. If PPP gets garbage
(such as what happens when there is a port speed mismatch or modem line
noise), it will occasionally mistake the packet as a valid uncompressed
packet. When it tries to save off the header, it doesn't bother to check
for the validity of the header length and will happily clobber not only
the PPP VJC data structure, but parts of other process memory that happens
to follow it...causing, ahem, undesired behavior.

usr.sbin/ppp/slcompress.c

@@ -17,13 +17,13 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: slcompress.c,v 1.3 1995/05/30 03:50:57 rgrimes Exp $
+ * $Id: slcompress.c,v 1.4 1996/01/11 17:48:58 phk Exp $
  *
  *	Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989:
  *	- Initial distribution.
  */
 #ifndef lint
-static char const rcsid[] = "$Id$";
+static char const rcsid[] = "$Id: slcompress.c,v 1.4 1996/01/11 17:48:58 phk Exp $";
 #endif
 
 #include "defs.h"
@@ -430,10 +430,17 @@ sl_uncompress_tcp(bufp, len, type, comp)
 		cs = &comp->rstate[comp->last_recv = ip->ip_p];
 		comp->flags &=~ SLF_TOSS;
 		ip->ip_p = IPPROTO_TCP;
-		hlen = ip->ip_hl;
+		/*
+		 * Calculate the size of the TCP/IP header and make sure that
+		 * we don't overflow the space we have available for it.
+		*/
+		hlen = ip->ip_hl << 2;
+		if (hlen + sizeof(struct tcphdr) > len)
+			goto bad;
 		th = (struct tcphdr *)&((int *)ip)[hlen];
-		hlen += THOFFSET(th);
-		hlen <<= 2;
+		hlen += THOFFSET(th) << 2;
+		if (hlen > MAX_HDR)
+			goto bad;
 		BCOPY(ip, &cs->cs_ip, hlen);
 		cs->cs_ip.ip_sum = 0;
 		cs->cs_hlen = hlen;