Date: Sat, 13 Jun 1998 17:56:15 -0700 (PDT) From: Brian Somers <brian@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-usrsbin@FreeBSD.ORG Subject: cvs commit: src/usr.sbin/ppp slcompress.c slcompress.h vjcomp.c Message-ID: <199806140056.RAA07157@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
brian 1998/06/13 17:56:15 PDT
Modified files:
usr.sbin/ppp slcompress.c slcompress.h vjcomp.c
Log:
o Pass our negotiated number of VJ slots into
sl_uncompress_tcp() and drop packets with
slot numbers that are out of range.
o Drop packets that want to use a slot that still
has an IP header length of 0 (ie, the requested
slot number is bogus again).
Without this code, if the other side mis-behaves (and
sends us garbage slot numbers), we happily ``adjust''
a memset(..., '\0', ...) TCP/IP header and promptly
cr*p all over the stack before returning.... quickly
followed by a SIGBUS.
Dodgy ISP used by, and help locating the problem from: jmz
Problem also seen by: Mourad de Riche <omnibus@image.dk>
There's still a link lockup after this happens, but my
bets are on the other side (who has already started sending
rubbish) being to blame.
Revision Changes Path
1.17 +8 -5 src/usr.sbin/ppp/slcompress.c
1.12 +2 -2 src/usr.sbin/ppp/slcompress.h
1.18 +5 -3 src/usr.sbin/ppp/vjcomp.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806140056.RAA07157>