summaryrefslogtreecommitdiffstats
path: root/drivers/net/slip
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2020-03-12 21:29:30 -0700
committerDavid S. Miller <davem@davemloft.net>2020-03-12 22:34:48 -0700
commit1d343579312311aa9875b34d5a921f5e2ec69f0a (patch)
tree64b636b5557d92f5266187f035dac34862db86d5 /drivers/net/slip
parenta8eceea84a3a3504e42f6495cf462027c5d19cb0 (diff)
parent0d81a3f29c0afb18ba2b1275dcccf21e0dd4da38 (diff)
downloadlinux-1d343579312311aa9875b34d5a921f5e2ec69f0a.tar.bz2
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Minor overlapping changes, nothing serious. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/slip')
-rw-r--r--drivers/net/slip/slhc.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 58a69f830d29..f78ceba42e57 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, unsigned char *icp, int isize,
struct cstate *cs = lcs->next;
unsigned long deltaS, deltaA;
short changes = 0;
- int hlen;
+ int nlen, hlen;
unsigned char new_seq[16];
unsigned char *cp = new_seq;
struct iphdr *ip;
@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, unsigned char *icp, int isize,
return isize;
ip = (struct iphdr *) icp;
+ if (ip->version != 4 || ip->ihl < 5)
+ return isize;
/* Bail if this packet isn't TCP, or is an IP fragment */
if (ip->protocol != IPPROTO_TCP || (ntohs(ip->frag_off) & 0x3fff)) {
@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, unsigned char *icp, int isize,
comp->sls_o_tcp++;
return isize;
}
- /* Extract TCP header */
+ nlen = ip->ihl * 4;
+ if (isize < nlen + sizeof(*th))
+ return isize;
- th = (struct tcphdr *)(((unsigned char *)ip) + ip->ihl*4);
- hlen = ip->ihl*4 + th->doff*4;
+ th = (struct tcphdr *)(icp + nlen);
+ if (th->doff < sizeof(struct tcphdr) / 4)
+ return isize;
+ hlen = nlen + th->doff * 4;
/* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or
* some other control bit is set). Also uncompressible if