[packages/tcpdump.git] / tcpdump-l2tp-CAN-2003-1029.patch

--- print-l2tp.c
+++ print-l2tp.c
@@ -476,8 +476,18 @@
 	TCHECK(*ptr);	/* Flags & Length */
 	len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
 
-	/* If it is not long enough to decode the entire AVP, we'll 
-	   abandon. */
+       /* If it is not long enough to contain the header, we'll give up. */
+       if (len < 6)
+               goto trunc;
+
+       /* If it goes past the end of the remaining length of the packet,
+          we'll give up. */
+       if (len > (u_int)length)
+               goto trunc;
+
+       /* If it goes past the end of the remaining length of the captured
+          data, we'll give up. */
+
 	TCHECK2(*ptr, len);
 	/* After this point, no need to worry about truncation */
Commit	Line	Data
01e8554b JB	1	--- print-l2tp.c
	2	+++ print-l2tp.c
	3	@@ -476,8 +476,18 @@
	4	TCHECK(ptr); / Flags & Length */
	5	len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
	6
	7	- /* If it is not long enough to decode the entire AVP, we'll
	8	- abandon. */
	9	+ /* If it is not long enough to contain the header, we'll give up. */
	10	+ if (len < 6)
	11	+ goto trunc;
	12	+
	13	+ /* If it goes past the end of the remaining length of the packet,
	14	+ we'll give up. */
	15	+ if (len > (u_int)length)
	16	+ goto trunc;
	17	+
	18	+ /* If it goes past the end of the remaining length of the captured
	19	+ data, we'll give up. */
	20	+
	21	TCHECK2(*ptr, len);
	22	/* After this point, no need to worry about truncation */
	23