Revert "slip: make slhc_remember() more robust against malicious packets"
This reverts commit 9fe9feaa4c.
This commit is contained in:
Ksawlii
parent
a8299c44cf
commit
31712644b6
1 changed files with 23 additions and 34 deletions
|
|
@ -643,57 +643,46 @@ bad:
|
|||
int
|
||||
slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
|
||||
{
|
||||
const struct tcphdr *th;
|
||||
unsigned char index;
|
||||
struct iphdr *iph;
|
||||
struct cstate *cs;
|
||||
unsigned int ihl;
|
||||
unsigned ihl;
|
||||
|
||||
/* The packet is shorter than a legal IP header.
|
||||
* Also make sure isize is positive.
|
||||
*/
|
||||
if (isize < (int)sizeof(struct iphdr)) {
|
||||
runt:
|
||||
unsigned char index;
|
||||
|
||||
if(isize < 20) {
|
||||
/* The packet is shorter than a legal IP header */
|
||||
comp->sls_i_runt++;
|
||||
return slhc_toss(comp);
|
||||
return slhc_toss( comp );
|
||||
}
|
||||
iph = (struct iphdr *)icp;
|
||||
/* Peek at the IP header's IHL field to find its length */
|
||||
ihl = iph->ihl;
|
||||
/* The IP header length field is too small,
|
||||
* or packet is shorter than the IP header followed
|
||||
* by minimal tcp header.
|
||||
*/
|
||||
if (ihl < 5 || isize < ihl * 4 + sizeof(struct tcphdr))
|
||||
goto runt;
|
||||
|
||||
index = iph->protocol;
|
||||
iph->protocol = IPPROTO_TCP;
|
||||
ihl = icp[0] & 0xf;
|
||||
if(ihl < 20 / 4){
|
||||
/* The IP header length field is too small */
|
||||
comp->sls_i_runt++;
|
||||
return slhc_toss( comp );
|
||||
}
|
||||
index = icp[9];
|
||||
icp[9] = IPPROTO_TCP;
|
||||
|
||||
if (ip_fast_csum(icp, ihl)) {
|
||||
/* Bad IP header checksum; discard */
|
||||
comp->sls_i_badcheck++;
|
||||
return slhc_toss(comp);
|
||||
return slhc_toss( comp );
|
||||
}
|
||||
if (index > comp->rslot_limit) {
|
||||
if(index > comp->rslot_limit) {
|
||||
comp->sls_i_error++;
|
||||
return slhc_toss(comp);
|
||||
}
|
||||
th = (struct tcphdr *)(icp + ihl * 4);
|
||||
if (th->doff < sizeof(struct tcphdr) / 4)
|
||||
goto runt;
|
||||
if (isize < ihl * 4 + th->doff * 4)
|
||||
goto runt;
|
||||
|
||||
/* Update local state */
|
||||
cs = &comp->rstate[comp->recv_current = index];
|
||||
comp->flags &=~ SLF_TOSS;
|
||||
memcpy(&cs->cs_ip, iph, sizeof(*iph));
|
||||
memcpy(&cs->cs_tcp, th, sizeof(*th));
|
||||
memcpy(&cs->cs_ip,icp,20);
|
||||
memcpy(&cs->cs_tcp,icp + ihl*4,20);
|
||||
if (ihl > 5)
|
||||
memcpy(cs->cs_ipopt, &iph[1], (ihl - 5) * 4);
|
||||
if (th->doff > 5)
|
||||
memcpy(cs->cs_tcpopt, &th[1], (th->doff - 5) * 4);
|
||||
cs->cs_hsize = ihl*2 + th->doff*2;
|
||||
memcpy(cs->cs_ipopt, icp + sizeof(struct iphdr), (ihl - 5) * 4);
|
||||
if (cs->cs_tcp.doff > 5)
|
||||
memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4);
|
||||
cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2;
|
||||
cs->initialized = true;
|
||||
/* Put headers back on packet
|
||||
* Neither header checksum is recalculated
|
||||
|
|
|
|||
Loading…
Reference in a new issue