--- /dev/null
+/etc/check_mk/
#Gets: IP, CIDR (10.10.10.0-255, 24)
#Gives: 10.10.10.0
my ($ccdip,$ccdsubnet) = @_;
- my $ip_address_binary = &Socket::inet_pton( AF_INET,$ccdip );
- my $netmask_binary = &Socket::inet_pton(AF_INET,&iporsubtodec($ccdsubnet));
- my $network_address = &Socket::inet_ntop( AF_INET,$ip_address_binary & $netmask_binary );
+ my $ip_address_binary = inet_aton( $ccdip );
+ my $netmask_binary = ~pack("N", (2**(32-$ccdsubnet))-1);
+ my $network_address = inet_ntoa( $ip_address_binary & $netmask_binary );
return $network_address;
}
# Return: TRUE/FALSE
sub IpInSubnet
{
- my $addr = shift;
- my $network = shift;
- my $netmask = shift;
-
- my $addr_num = &Socket::inet_pton(AF_INET,$addr);
- my $network_num = &Socket::inet_pton(AF_INET,$network);
- my $netmask_num = &Socket::inet_pton(AF_INET,$netmask);
-
- # Find start address
- my $network_start = $network_num & $netmask_num;
-
- # Find end address
- my $network_end = $network_start ^ ~$netmask_num;
-
- return (($addr_num ge $network_start) && ($addr_num le $network_end));
+ my $ip = unpack('N', &Socket::inet_aton(shift));
+ my $start = unpack('N', &Socket::inet_aton(shift));
+ my $mask = unpack('N', &Socket::inet_aton(shift));
+ $start &= $mask; # base of subnet...
+ my $end = $start + ~$mask;
+ return (($ip >= $start) && ($ip <= $end));
}
#
#usr/share/locale/uz@Latn/LC_MESSAGES
#usr/share/locale/uz@Latn/LC_MESSAGES/ddns.mo
#usr/share/locale/vi/LC_MESSAGES/ddns.mo
+#usr/share/locale/zh
+#usr/share/locale/zh/LC_MESSAGES
+#usr/share/locale/zh/LC_MESSAGES/ddns.mo
#var/ipfire/ddns/ddns.conf.sample
etc/rc.d/init.d/dnsmasq
etc/rc.d/init.d/firewall
etc/rc.d/init.d/networking/red.up/30-ddns
+etc/rc.d/init.d/rngd
srv/web/ipfire/cgi-bin/ddns.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/netexternal.cgi
--- /dev/null
+boot/config.txt
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/ovpn
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache
--- /dev/null
+../../../common/ddns
\ No newline at end of file
--- /dev/null
+etc/system-release
+etc/issue
+etc/rc.d/init.d/firewall
+srv/web/ipfire/cgi-bin/ddns.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
--- /dev/null
+../../../common/lzo
\ No newline at end of file
--- /dev/null
+../../../common/openssh
\ No newline at end of file
--- /dev/null
+../../../common/openssl
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2014 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=81
+for (( i=1; i<=$core; i++ ))
+do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+
+# Remove old strongswan files
+
+# Extract files
+extract_files
+
+# Start services
+/etc/init.d/apache restart
+
+# Update Language cache
+#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+sync
+
+# This update need a reboot...
+touch /var/run/need_reboot
+^^
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Don't report the exitcode last command
+exit 0
# Check if a password has been typed in.
# freedns.afraid.org does not require this field.
- if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org')) {
+ if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org') && ($settings{'SERVICE'} ne 'regfish.com')) {
$errormessage = $Lang::tr{'password not set'};
}
# Splitt hostname field into 2 parts for storrage.
my($hostname, $domain) = split(/\./, $settings{'HOSTNAME'}, 2);
+ # Handle enabled checkbox. When the checkbox is selected a "on" will be returned,
+ # if the checkbox is not checked nothing is returned in this case we set the value to "off".
+ if ($settings{'ENABLED'} ne 'on') {
+ $settings{'ENABLED'} = 'off';
+ }
+
# Handle adding new accounts.
if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
# Write out notice to logfile.
&General::log($Lang::tr{'ddns hostname added'});
- # Update ddns config file.
-
# Handle account edditing.
} elsif ($settings{'ACTION'} eq $Lang::tr{'update'}) {
$checked{'BEHINDROUTER'}{'FETCH_IP'} = '';
$checked{'BEHINDROUTER'}{$settings{'BEHINDROUTER'}} = "checked='checked'";
-$checked{'ENABLED'}{'on'} = ($settings{'ENABLED'} eq '' ) ? '' : "checked='checked'";
+$checked{'ENABLED'}{'on'} = '';
+$checked{'ENABLED'}{'off'} = '';
+$checked{'ENABLED'}{$settings{'ENABLED'}} = "checked='checked'";
# Show box for errormessages..
if ($errormessage) {
<tr>
<td class='base'>$Lang::tr{'enabled'}</td>
- <td><input type='checkbox' name='ENABLED' value='on' $checked{'ENABLED'}{'on'} /></td>
+ <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
<td class='base'>$Lang::tr{'username'}</td>
<td><input type='text' name='LOGIN' value='$settings{'LOGIN'}' /></td>
</tr>
chomp(@current);
my @temp = split(/\,/,$line);
+ # Handle hostname details. Only connect the values with a dott if both are available.
+ my $hostname="";
+
+ if (($temp[1]) && ($temp[2])) {
+ $hostname="$temp[1].$temp[2]";
+ } else {
+ $hostname="$temp[1]";
+ }
+
# Generate value for enable/disable checkbox.
- my $sync = "<font color='blue'>";
+ my $sync = '';
my $gif = '';
my $gdesc = '';
if ($temp[7] eq "on") {
$gif = 'on.gif';
$gdesc = $Lang::tr{'click to disable'};
- $sync = (&General::DyndnsServiceSync ($ip,$temp[1], $temp[2]) ? "<font color='green'>": "<font color='red'>") ;
+
+ # Check if the given hostname is a FQDN before doing a nslookup.
+ if (&General::validfqdn($hostname)) {
+ $sync = (&General::DyndnsServiceSync ($ip,$temp[1], $temp[2]) ? "<font color='green'>": "<font color='red'>") ;
+ }
+
$toggle_enabled = 'off';
} else {
+ $sync = "<font color='blue'>";
$gif = 'off.gif';
$gdesc = $Lang::tr{'click to enable'};
$toggle_enabled = 'on';
if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com"] && $username eq "token") {
$use_token = 1;
- # Handle token auth for freedns.afraid.org.
- } elsif ($provider eq "freedns.afraid.org" && $password eq "") {
+ # Handle token auth for freedns.afraid.org and regfish.com.
+ } elsif ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") {
$use_token = 1;
$password = $username;
####################### End added for snort rules control #################################
if ($snortsettings{'RULES'} eq 'subscripted') {
- $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2961.tar.gz/$snortsettings{'OINKCODE'}";
+ $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
} elsif ($snortsettings{'RULES'} eq 'registered') {
- $url=" http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/$snortsettings{'OINKCODE'}";
+ $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
} elsif ($snortsettings{'RULES'} eq 'community') {
- $url=" http://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz";
+ $url=" https://www.snort.org/rules/community";
} else {
$url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz";
}
$errormessage = $Lang::tr{'name too long'};
goto VPNCONF_ERROR;
}
- if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
$errormessage = $Lang::tr{'invalid input for name'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
DIR_APP = $(DIR_SRC)/check_mk-${VER}
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = check_mk_agent
-PAK_VER = 3
+PAK_VER = 4
DEPS = ""
include Config
-VER = 003
+VER = 004
THISAPP = ddns-$(VER)
DL_FILE = $(THISAPP).tar.xz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9ff8ab5fa716859b51f63b0a241f1337
+$(DL_FILE)_MD5 = ff77cb72d0cb06c73bde70419b15bae8
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
-
cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/var/ipfire
cd $(DIR_APP) && make $(MAKETUNING)
include Config
-VER = 2.08
+VER = 2.06
THISAPP = lzo-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = fcec64c26a0f4f4901468f360029678f
+$(DL_FILE)_MD5 = 95380bd4081f85ef08c5209f4107e9f8
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607.patch
cd $(DIR_APP) && ./configure --prefix=/usr --enable-shared
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
include Config
-VER = 1.0.1h
+VER = 1.0.1i
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 8d6d684a9430d5cc98a62a5d8fbda8cf
+$(DL_FILE)_MD5 = c8dc151a671b9b92ff3e4c118b174972
install : $(TARGET)
include Config
-VER = 0.2.4.22
+VER = 0.2.4.23
THISAPP = tor-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
-PAK_VER = 7
+PAK_VER = 8
DEPS = "libevent2"
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 5a7eee0d9df87233255d78b25c6f8270
+$(DL_FILE)_MD5 = 9e39928e310612c3bffee727f554c63f
install : $(TARGET)
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.15" # Version number
-CORE="80" # Core Level (Filename)
-PAKFIRE_CORE="80" # Core Level (PAKFIRE)
+CORE="81" # Core Level (Filename)
+PAKFIRE_CORE="81" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
CONFIG_ROOT=/var/ipfire # Configuration rootdir
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
- # nmap xmas
- iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
- # Null
- iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
- # FIN
+ # NMAP FIN/URG/PSH (XMAS scan)
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+ # SYN/RST/ACK/FIN/URG
+ iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+ # ALL/ALL
+ iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+ # FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ # Null
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
# Connection tracking chain
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
boot_mesg "Starting Random Number Generator Daemon..."
- loadproc /usr/sbin/rngd --no-tpm=1
+
+ if pidofproc /usr/sbin/rngd &>/dev/null; then
+ # Is already running.
+ echo_ok
+ else
+ loadproc /usr/sbin/rngd --no-tpm=1
+ fi
;;
stop)
boot_mesg "Stopping Random Number Generator Daemon..."
- killproc /usr/sbin/rngd
+ killproc -p /var/run/rngd.pid /usr/sbin/rngd
;;
restart)
############################################################################
#
. /opt/pakfire/lib/functions.sh
+extract_backup_includes
make_backup ${NAME}
remove_files
+++ /dev/null
-From 21fd4b8d26d01d622185ab8de971a9ee934220a3 Mon Sep 17 00:00:00 2001
-From: Michael Tremer <michael.tremer@ipfire.org>
-Date: Thu, 24 Jul 2014 13:23:36 +0200
-Subject: [PATCH] Add a program prefix to syslog messages.
-
----
- src/ddns/__init__.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/ddns/__init__.py b/src/ddns/__init__.py
-index 22764e6..6fe3a33 100644
---- a/src/ddns/__init__.py
-+++ b/src/ddns/__init__.py
-@@ -42,6 +42,8 @@ def setup_logging():
- handler = logging.handlers.SysLogHandler(address="/dev/log",
- facility=logging.handlers.SysLogHandler.LOG_DAEMON
- )
-+ formatter = logging.Formatter("ddns[%(process)d]: %(message)s")
-+ handler.setFormatter(formatter)
- handler.setLevel(logging.INFO)
- rootlogger.addHandler(handler)
-
---
-1.9.3
-
--- /dev/null
+diff --git a/minilzo/minilzo.c b/minilzo/minilzo.c
+index 34ce0f0..ecfdf66 100644
+--- a/minilzo/minilzo.c
++++ b/minilzo/minilzo.c
+@@ -3547,6 +3547,8 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ #undef TEST_LBO
+ #undef NEED_IP
+ #undef NEED_OP
++#undef TEST_IV
++#undef TEST_OV
+ #undef HAVE_TEST_IP
+ #undef HAVE_TEST_OP
+ #undef HAVE_NEED_IP
+@@ -3561,6 +3563,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ # if (LZO_TEST_OVERRUN_INPUT >= 2)
+ # define NEED_IP(x) \
+ if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
+ # endif
+ #endif
+
+@@ -3572,6 +3575,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ # undef TEST_OP
+ # define NEED_OP(x) \
+ if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
+ # endif
+ #endif
+
+@@ -3602,11 +3606,13 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ # define HAVE_NEED_IP 1
+ #else
+ # define NEED_IP(x) ((void) 0)
++# define TEST_IV(x) ((void) 0)
+ #endif
+ #if defined(NEED_OP)
+ # define HAVE_NEED_OP 1
+ #else
+ # define NEED_OP(x) ((void) 0)
++# define TEST_OV(x) ((void) 0)
+ #endif
+
+ #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP)
+@@ -3687,6 +3693,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 15 + *ip++;
+@@ -3835,6 +3842,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -3879,6 +3887,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 7 + *ip++;
+@@ -4073,6 +4082,8 @@ lookbehind_overrun:
+ #undef TEST_LBO
+ #undef NEED_IP
+ #undef NEED_OP
++#undef TEST_IV
++#undef TEST_OV
+ #undef HAVE_TEST_IP
+ #undef HAVE_TEST_OP
+ #undef HAVE_NEED_IP
+@@ -4087,6 +4098,7 @@ lookbehind_overrun:
+ # if (LZO_TEST_OVERRUN_INPUT >= 2)
+ # define NEED_IP(x) \
+ if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
+ # endif
+ #endif
+
+@@ -4098,6 +4110,7 @@ lookbehind_overrun:
+ # undef TEST_OP
+ # define NEED_OP(x) \
+ if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
+ # endif
+ #endif
+
+@@ -4128,11 +4141,13 @@ lookbehind_overrun:
+ # define HAVE_NEED_IP 1
+ #else
+ # define NEED_IP(x) ((void) 0)
++# define TEST_IV(x) ((void) 0)
+ #endif
+ #if defined(NEED_OP)
+ # define HAVE_NEED_OP 1
+ #else
+ # define NEED_OP(x) ((void) 0)
++# define TEST_OV(x) ((void) 0)
+ #endif
+
+ #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP)
+@@ -4213,6 +4228,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 15 + *ip++;
+@@ -4361,6 +4377,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -4405,6 +4422,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 7 + *ip++;
+diff --git a/src/lzo1_d.ch b/src/lzo1_d.ch
+index 40a5bfd..c442d9c 100644
+--- a/src/lzo1_d.ch
++++ b/src/lzo1_d.ch
+@@ -76,6 +76,8 @@
+ #undef TEST_LBO
+ #undef NEED_IP
+ #undef NEED_OP
++#undef TEST_IV
++#undef TEST_OV
+ #undef HAVE_TEST_IP
+ #undef HAVE_TEST_OP
+ #undef HAVE_NEED_IP
+@@ -91,6 +93,7 @@
+ # if (LZO_TEST_OVERRUN_INPUT >= 2)
+ # define NEED_IP(x) \
+ if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun
+ # endif
+ #endif
+
+@@ -102,6 +105,7 @@
+ # undef TEST_OP /* don't need both of the tests here */
+ # define NEED_OP(x) \
+ if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun
+ # endif
+ #endif
+
+@@ -135,11 +139,13 @@
+ # define HAVE_NEED_IP 1
+ #else
+ # define NEED_IP(x) ((void) 0)
++# define TEST_IV(x) ((void) 0)
+ #endif
+ #if defined(NEED_OP)
+ # define HAVE_NEED_OP 1
+ #else
+ # define NEED_OP(x) ((void) 0)
++# define TEST_OV(x) ((void) 0)
+ #endif
+
+
+diff --git a/src/lzo1b_d.ch b/src/lzo1b_d.ch
+index fe5f361..36b4b6b 100644
+--- a/src/lzo1b_d.ch
++++ b/src/lzo1b_d.ch
+@@ -187,6 +187,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += (M4_MIN_LEN - M3_MIN_LEN) + *ip++;
+diff --git a/src/lzo1f_d.ch b/src/lzo1f_d.ch
+index 9e942f5..0c2199e 100644
+--- a/src/lzo1f_d.ch
++++ b/src/lzo1f_d.ch
+@@ -84,6 +84,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -138,6 +139,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+diff --git a/src/lzo1x_d.ch b/src/lzo1x_d.ch
+index 49cf326..c804cc7 100644
+--- a/src/lzo1x_d.ch
++++ b/src/lzo1x_d.ch
+@@ -120,6 +120,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_IV(t);
+ NEED_IP(1);
+ }
+ t += 15 + *ip++;
+@@ -273,6 +274,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 31 + *ip++;
+@@ -317,6 +319,7 @@ match:
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += 7 + *ip++;
+diff --git a/src/lzo2a_d.ch b/src/lzo2a_d.ch
+index 48e51ca..954f07e 100644
+--- a/src/lzo2a_d.ch
++++ b/src/lzo2a_d.ch
+@@ -131,6 +131,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len,
+ {
+ t += 255;
+ ip++;
++ TEST_OV(t);
+ NEED_IP(1);
+ }
+ t += *ip++;