add boundary, infinite loop checks

[tcpdump] / print-l2tp.c

diff --git a/print-l2tp.c b/print-l2tp.c
index 7546a860621f00552419544bc3617085cff1b64e..dfc65582c2c26b4f772776a7e5a4699bcdb9f600 100644 (file)
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.17 2003-12-26 23:20:58 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.19 2005-04-20 21:49:56 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -617,10 +617,10 @@ l2tp_print(const u_char *dat, u_int length)
        const u_int16_t *ptr = (u_int16_t *)dat;
        u_int cnt = 0;                  /* total octets consumed */
        u_int16_t pad;
-       int flag_t, flag_l, flag_s, flag_o, flag_p;
+       int flag_t, flag_l, flag_s, flag_o;
        u_int16_t l2tp_len;
 
-       flag_t = flag_l = flag_s = flag_o = flag_p = FALSE;
+       flag_t = flag_l = flag_s = flag_o = FALSE;
 
        TCHECK(*ptr);   /* Flags & Version */
        if ((EXTRACT_16BITS(ptr) & L2TP_VERSION_MASK) == L2TP_VERSION_L2TP) {
@@ -650,10 +650,8 @@ l2tp_print(const u_char *dat, u_int length)
                flag_o = TRUE;
                printf("O");
        }
-       if (EXTRACT_16BITS(ptr) & L2TP_FLAG_PRIORITY) {
-               flag_p = TRUE;
+       if (EXTRACT_16BITS(ptr) & L2TP_FLAG_PRIORITY)
                printf("P");
-       }
        printf("]");
 
        ptr++;
@@ -690,7 +688,22 @@ l2tp_print(const u_char *dat, u_int length)
                cnt += (2 + pad);
        }
 
+       if (flag_l) {
+               if (length < l2tp_len) {
+                       printf(" Length %u larger than packet", l2tp_len);
+                       return;
+               }
+               length = l2tp_len;
+       }
+       if (length < cnt) {
+               printf(" Length %u smaller than header length", length);
+               return;
+       }
        if (flag_t) {
+               if (!flag_l) {
+                       printf(" No length");
+                       return;
+               }
                if (length - cnt == 0) {
                        printf(" ZLB");
                } else {