Check to make sure the length of an AVP is large enough to include the

AVP header and doesn't go past the remaining length of the packet.

diff --git a/print-l2tp.c b/print-l2tp.c
index c0a52bcd15eee8099f29b9f1f8844f479323d8da..350726ed643e5896101e9484b0034a1dcd589bc3 100644 (file)
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.14.2.2 2003-11-16 08:51:30 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.14.2.3 2003-12-26 23:21:42 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -474,8 +474,17 @@ l2tp_avp_print(const u_char *dat, int length)
        TCHECK(*ptr);   /* Flags & Length */
        len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
 
-       /* If it is not long enough to decode the entire AVP, we'll
-          abandon. */
+       /* If it is not long enough to contain the header, we'll give up. */
+       if (len < 6)
+               goto trunc;
+
+       /* If it goes past the end of the remaining length of the packet,
+          we'll give up. */
+       if (len > (u_int)length)
+               goto trunc;
+
+       /* If it goes past the end of the remaining length of the captured
+          data, we'll give up. */
        TCHECK2(*ptr, len);
        /* After this point, no need to worry about truncation */