diff options
author | Frank Cusack <fcusack@fcusack.com> | 2003-01-30 11:13:47 +0000 |
---|---|---|
committer | Frank Cusack <fcusack@fcusack.com> | 2003-01-30 11:13:47 +0000 |
commit | f0b99c0189004a7ee11005f8dd1218b1c97610e7 (patch) | |
tree | 178f92f7e176b4fc5bb3bf92d2f1d5711da27cf7 /linux | |
parent | d1de5b3aba4bb773730b1d4420523c278e7561cb (diff) |
verify enough buffer space to decompress a packet
Diffstat (limited to 'linux')
-rw-r--r-- | linux/mppe/ppp_mppe_compress.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/linux/mppe/ppp_mppe_compress.c b/linux/mppe/ppp_mppe_compress.c index c652b69..2e98e18 100644 --- a/linux/mppe/ppp_mppe_compress.c +++ b/linux/mppe/ppp_mppe_compress.c @@ -412,9 +412,14 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf, state->unit, isize); return DECOMP_ERROR; } - /* Strange ... our output size is always LESS than the input size. */ - /* assert(osize >= isize - MPPE_OVHD - 2); */ + /* Make sure we have enough room to decrypt the packet. */ + if (osize < isize - MPPE_OVHD - 2) { + printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! " + "(have: %d need: %d)\n", state->unit, + osize, isize - MPPE_OVHD - 2); + return DECOMP_ERROR; + } osize = isize - MPPE_OVHD - 2; ccount = MPPE_CCOUNT(ibuf); @@ -508,11 +513,11 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf, * comes from the decrypted data. */ obuf[0] = PPP_ADDRESS(ibuf); /* +1 */ - obuf[1] = PPP_CONTROL(ibuf); /* +2 */ + obuf[1] = PPP_CONTROL(ibuf); /* +1 */ obuf += 2; ibuf += PPP_HDRLEN + MPPE_OVHD; isize -= PPP_HDRLEN + MPPE_OVHD; /* -6 */ - /* net: -4 */ + /* net osize: isize-4 */ /* And finally, decrypt the packet. */ arcfour_decrypt(&state->arcfour_context, ibuf, isize, obuf); |