@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, unsigned char *icp, int isize,
232
232
struct cstate * cs = lcs -> next ;
233
233
unsigned long deltaS , deltaA ;
234
234
short changes = 0 ;
235
- int hlen ;
235
+ int nlen , hlen ;
236
236
unsigned char new_seq [16 ];
237
237
unsigned char * cp = new_seq ;
238
238
struct iphdr * ip ;
@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, unsigned char *icp, int isize,
248
248
return isize ;
249
249
250
250
ip = (struct iphdr * ) icp ;
251
+ if (ip -> version != 4 || ip -> ihl < 5 )
252
+ return isize ;
251
253
252
254
/* Bail if this packet isn't TCP, or is an IP fragment */
253
255
if (ip -> protocol != IPPROTO_TCP || (ntohs (ip -> frag_off ) & 0x3fff )) {
@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, unsigned char *icp, int isize,
258
260
comp -> sls_o_tcp ++ ;
259
261
return isize ;
260
262
}
261
- /* Extract TCP header */
263
+ nlen = ip -> ihl * 4 ;
264
+ if (isize < nlen + sizeof (* th ))
265
+ return isize ;
262
266
263
- th = (struct tcphdr * )(((unsigned char * )ip ) + ip -> ihl * 4 );
264
- hlen = ip -> ihl * 4 + th -> doff * 4 ;
267
+ th = (struct tcphdr * )(icp + nlen );
268
+ if (th -> doff < sizeof (struct tcphdr ) / 4 )
269
+ return isize ;
270
+ hlen = nlen + th -> doff * 4 ;
265
271
266
272
/* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or
267
273
* some other control bit is set). Also uncompressible if
0 commit comments