add boundary, infinite loop checks

[tcpdump] / print-l2tp.c

diff --git a/print-l2tp.c b/print-l2tp.c
index 0cfaa938ccabfe3ce97b53a33c95721cfeab630c..dfc65582c2c26b4f772776a7e5a4699bcdb9f600 100644 (file)
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -22,19 +22,17 @@
  */
 
 #ifndef lint
-static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.12 2002-06-11 17:08:51 itojun Exp $";
+static const char rcsid[] _U_ =
+    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.19 2005-04-20 21:49:56 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
+#include <tcpdump-stdinc.h>
+
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
 
 #include "l2tp.h"
 #include "interface.h"
@@ -246,7 +244,7 @@ static char *l2tp_error_code_general[] = {
 static void
 print_string(const u_char *dat, u_int length)
 {
-       int i;
+       u_int i;
        for (i=0; i<length; i++) {
                printf("%c", *dat++);
        }
@@ -255,7 +253,7 @@ print_string(const u_char *dat, u_int length)
 static void
 print_octets(const u_char *dat, u_int length)
 {
-       int i;
+       u_int i;
        for (i=0; i<length; i++) {
                printf("%02x", *dat++);
        }
@@ -476,8 +474,17 @@ l2tp_avp_print(const u_char *dat, int length)
        TCHECK(*ptr);   /* Flags & Length */
        len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
 
-       /* If it is not long enough to decode the entire AVP, we'll
-          abandon. */
+       /* If it is not long enough to contain the header, we'll give up. */
+       if (len < 6)
+               goto trunc;
+
+       /* If it goes past the end of the remaining length of the packet,
+          we'll give up. */
+       if (len > (u_int)length)
+               goto trunc;
+
+       /* If it goes past the end of the remaining length of the captured
+          data, we'll give up. */
        TCHECK2(*ptr, len);
        /* After this point, no need to worry about truncation */
 
@@ -610,10 +617,10 @@ l2tp_print(const u_char *dat, u_int length)
        const u_int16_t *ptr = (u_int16_t *)dat;
        u_int cnt = 0;                  /* total octets consumed */
        u_int16_t pad;
-       int flag_t, flag_l, flag_s, flag_o, flag_p;
+       int flag_t, flag_l, flag_s, flag_o;
        u_int16_t l2tp_len;
 
-       flag_t = flag_l = flag_s = flag_o = flag_p = FALSE;
+       flag_t = flag_l = flag_s = flag_o = FALSE;
 
        TCHECK(*ptr);   /* Flags & Version */
        if ((EXTRACT_16BITS(ptr) & L2TP_VERSION_MASK) == L2TP_VERSION_L2TP) {
@@ -643,10 +650,8 @@ l2tp_print(const u_char *dat, u_int length)
                flag_o = TRUE;
                printf("O");
        }
-       if (EXTRACT_16BITS(ptr) & L2TP_FLAG_PRIORITY) {
-               flag_p = TRUE;
+       if (EXTRACT_16BITS(ptr) & L2TP_FLAG_PRIORITY)
                printf("P");
-       }
        printf("]");
 
        ptr++;
@@ -683,7 +688,22 @@ l2tp_print(const u_char *dat, u_int length)
                cnt += (2 + pad);
        }
 
+       if (flag_l) {
+               if (length < l2tp_len) {
+                       printf(" Length %u larger than packet", l2tp_len);
+                       return;
+               }
+               length = l2tp_len;
+       }
+       if (length < cnt) {
+               printf(" Length %u smaller than header length", length);
+               return;
+       }
        if (flag_t) {
+               if (!flag_l) {
+                       printf(" No length");
+                       return;
+               }
                if (length - cnt == 0) {
                        printf(" ZLB");
                } else {