add boundary, infinite loop checks

diff --git a/print-ldp.c b/print-ldp.c
index 5fc1f72b343a8e3b1309f9b78dd92a5e22765655..f7437440d765278bb16c6007354d9c6d34685223 100644 (file)
--- a/print-ldp.c
+++ b/print-ldp.c
@@ -16,7 +16,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-ldp.c,v 1.12 2005-04-27 19:16:21 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-ldp.c,v 1.13 2005-05-03 08:21:09 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -352,14 +352,23 @@ ldp_tlv_print(register const u_char *tptr) {
        case LDP_FEC_HOSTADDRESS:
            break;
        case LDP_FEC_MARTINI_VC:
+            if (!TTEST2(*tptr, 11))
+                goto trunc;
             vc_info_len = *(tptr+2);
+
            printf(": %s, %scontrol word, group-ID %u, VC-ID %u, VC-info-length: %u",
                   tok2str(l2vpn_encaps_values, "Unknown", EXTRACT_16BITS(tptr)&0x7fff),
                   EXTRACT_16BITS(tptr)&0x8000 ? "" : "no ",
                    EXTRACT_32BITS(tptr+3),
                   EXTRACT_32BITS(tptr+7),
                    vc_info_len);
+
+            if (vc_info_len == 0) /* infinite loop protection */
+                break;
+
             tptr+=11;
+            if (!TTEST2(*tptr, vc_info_len))
+                goto trunc;
 
             while (vc_info_len > 2) {
                 vc_info_tlv_type = *tptr;
@@ -463,6 +472,10 @@ ldp_tlv_print(register const u_char *tptr) {
         break;
     }
     return(tlv_len+4); /* Type & Length fields not included */
+ 
+trunc:
+    printf("\n\t\t packet exceeded snapshot");
+    return 0;
 }
 
 void