+++ /dev/null
-diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-bgp.c tcpdump-3.8.3/print-bgp.c
---- tcpdump-3.8.3.orig/print-bgp.c 2005-05-06 17:41:55.000000000 -0300
-+++ tcpdump-3.8.3/print-bgp.c 2005-05-06 17:45:08.000000000 -0300
-@@ -1216,6 +1216,8 @@
- tptr = pptr + len;
- break;
- }
-+ if (advance < 0) /* infinite loop protection */
-+ break;
- tptr += advance;
- }
- break;
-diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-isoclns.c tcpdump-3.8.3/print-isoclns.c
---- tcpdump-3.8.3.orig/print-isoclns.c 2005-05-06 17:41:55.000000000 -0300
-+++ tcpdump-3.8.3/print-isoclns.c 2005-05-06 17:53:57.000000000 -0300
-@@ -1250,11 +1250,11 @@
- break;
- case L1_CSNP:
- case L2_CSNP:
-- printf(", src-id %s", isis_print_id(header_csnp->source_id,SYSTEM_ID_LEN));
-+ printf(", src-id %s", isis_print_id(header_csnp->source_id,NODE_ID_LEN));
- break;
- case L1_PSNP:
- case L2_PSNP:
-- printf(", src-id %s", isis_print_id(header_psnp->source_id,SYSTEM_ID_LEN));
-+ printf(", src-id %s", isis_print_id(header_psnp->source_id,NODE_ID_LEN));
- break;
-
- }
-@@ -1506,6 +1506,9 @@
- tlv_type,
- tlv_len);
-
-+ if (tlv_len == 0) /* something is malformed */
-+ break;
-+
- /* now check if we have a decoder otherwise do a hexdump at the end*/
- switch (tlv_type) {
- case TLV_AREA_ADDR:
-@@ -1536,7 +1539,7 @@
- break;
-
- case TLV_ISNEIGH_VARLEN:
-- if (!TTEST2(*tptr, 1))
-+ if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
- goto trunctlv;
- lan_alen = *tptr++; /* LAN adress length */
- tmp --;
-diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-ldp.c tcpdump-3.8.3/print-ldp.c
---- tcpdump-3.8.3.orig/print-ldp.c 2005-05-06 17:41:55.000000000 -0300
-+++ tcpdump-3.8.3/print-ldp.c 2005-05-06 17:49:09.000000000 -0300
-@@ -326,6 +326,9 @@
- EXTRACT_32BITS(&ldp_msg_header->id),
- LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
-
-+ if (msg_len == 0) /* infinite loop protection */
-+ break;
-+
- msg_tptr=tptr+sizeof(struct ldp_msg_header);
- msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
-
-diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-rsvp.c tcpdump-3.8.3/print-rsvp.c
---- tcpdump-3.8.3.orig/print-rsvp.c 2005-05-06 17:41:55.000000000 -0300
-+++ tcpdump-3.8.3/print-rsvp.c 2005-05-06 17:51:12.000000000 -0300
-@@ -875,10 +875,17 @@
- switch(rsvp_obj_ctype) {
- case RSVP_CTYPE_IPV4:
- while(obj_tlen >= 4 ) {
-- printf("\n\t Subobject Type: %s",
-+ printf("\n\t Subobject Type: %s, length %u",
- tok2str(rsvp_obj_xro_values,
- "Unknown %u",
-- RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));
-+ RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
-+ *(obj_tptr+1));
-+
-+ if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
-+ printf("\n\t ERROR: zero length ERO subtype");
-+ break;
-+ }
-+
- switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
- case RSVP_OBJ_XRO_IPV4:
- printf(", %s, %s/%u, Flags: [%s]",
-@@ -921,8 +928,8 @@
- if (obj_tlen < 8)
- return;
- printf("\n\t Restart Time: %ums, Recovery Time: %ums",
-- EXTRACT_16BITS(obj_tptr),
-- EXTRACT_16BITS(obj_tptr+4));
-+ EXTRACT_32BITS(obj_tptr),
-+ EXTRACT_32BITS(obj_tptr+4));
- obj_tlen-=8;
- obj_tptr+=8;
- break;