X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/edb0e92cdcaf06168a38e632847b8fd2c0a62a2d..579d53d4aa0adbf1e29b46b632722f419b5d231b:/print-l2tp.c

diff --git a/print-l2tp.c b/print-l2tp.c
index 5ce40b64..55c21251 100644
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -22,8 +22,8 @@
  */
 
 #ifndef lint
-static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.14 2002-09-05 00:00:14 guy Exp $";
+static const char rcsid[] _U_ =
+    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.20 2006-06-23 02:03:09 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -40,14 +40,6 @@ static const char rcsid[] =
 
 static char tstr[] = " [|l2tp]";
 
-#ifndef TRUE
-#define TRUE 1
-#endif
-
-#ifndef FALSE
-#define FALSE 0
-#endif
-
 #define	L2TP_MSGTYPE_SCCRQ	1  /* Start-Control-Connection-Request */
 #define	L2TP_MSGTYPE_SCCRP	2  /* Start-Control-Connection-Reply */
 #define	L2TP_MSGTYPE_SCCCN	3  /* Start-Control-Connection-Connected */
@@ -474,8 +466,17 @@ l2tp_avp_print(const u_char *dat, int length)
 	TCHECK(*ptr);	/* Flags & Length */
 	len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
 
-	/* If it is not long enough to decode the entire AVP, we'll
-	   abandon. */
+	/* If it is not long enough to contain the header, we'll give up. */
+	if (len < 6)
+		goto trunc;
+
+	/* If it goes past the end of the remaining length of the packet,
+	   we'll give up. */
+	if (len > (u_int)length)
+		goto trunc;
+
+	/* If it goes past the end of the remaining length of the captured
+	   data, we'll give up. */
 	TCHECK2(*ptr, len);
 	/* After this point, no need to worry about truncation */
 
@@ -608,10 +609,10 @@ l2tp_print(const u_char *dat, u_int length)
 	const u_int16_t *ptr = (u_int16_t *)dat;
 	u_int cnt = 0;			/* total octets consumed */
 	u_int16_t pad;
-	int flag_t, flag_l, flag_s, flag_o, flag_p;
+	int flag_t, flag_l, flag_s, flag_o;
 	u_int16_t l2tp_len;
 
-	flag_t = flag_l = flag_s = flag_o = flag_p = FALSE;
+	flag_t = flag_l = flag_s = flag_o = FALSE;
 
 	TCHECK(*ptr);	/* Flags & Version */
 	if ((EXTRACT_16BITS(ptr) & L2TP_VERSION_MASK) == L2TP_VERSION_L2TP) {
@@ -641,10 +642,8 @@ l2tp_print(const u_char *dat, u_int length)
 		flag_o = TRUE;
 		printf("O");
 	}
-	if (EXTRACT_16BITS(ptr) & L2TP_FLAG_PRIORITY) {
-		flag_p = TRUE;
+	if (EXTRACT_16BITS(ptr) & L2TP_FLAG_PRIORITY)
 		printf("P");
-	}
 	printf("]");
 
 	ptr++;
@@ -681,7 +680,22 @@ l2tp_print(const u_char *dat, u_int length)
 		cnt += (2 + pad);
 	}
 
+	if (flag_l) {
+		if (length < l2tp_len) {
+			printf(" Length %u larger than packet", l2tp_len);
+			return;
+		}
+		length = l2tp_len;
+	}
+	if (length < cnt) {
+		printf(" Length %u smaller than header length", length);
+		return;
+	}
 	if (flag_t) {
+		if (!flag_l) {
+			printf(" No length");
+			return;
+		}
 		if (length - cnt == 0) {
 			printf(" ZLB");
 		} else {