Date: Sat, 13 Jun 1998 17:56:15 -0700 (PDT) From: Brian Somers <brian@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-usrsbin@FreeBSD.ORG Subject: cvs commit: src/usr.sbin/ppp slcompress.c slcompress.h vjcomp.c Message-ID: <199806140056.RAA07157@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
brian 1998/06/13 17:56:15 PDT Modified files: usr.sbin/ppp slcompress.c slcompress.h vjcomp.c Log: o Pass our negotiated number of VJ slots into sl_uncompress_tcp() and drop packets with slot numbers that are out of range. o Drop packets that want to use a slot that still has an IP header length of 0 (ie, the requested slot number is bogus again). Without this code, if the other side mis-behaves (and sends us garbage slot numbers), we happily ``adjust'' a memset(..., '\0', ...) TCP/IP header and promptly cr*p all over the stack before returning.... quickly followed by a SIGBUS. Dodgy ISP used by, and help locating the problem from: jmz Problem also seen by: Mourad de Riche <omnibus@image.dk> There's still a link lockup after this happens, but my bets are on the other side (who has already started sending rubbish) being to blame. Revision Changes Path 1.17 +8 -5 src/usr.sbin/ppp/slcompress.c 1.12 +2 -2 src/usr.sbin/ppp/slcompress.h 1.18 +5 -3 src/usr.sbin/ppp/vjcomp.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806140056.RAA07157>