And add checks of the NSAP offset.

diff --git a/print-isoclns.c b/print-isoclns.c
index d423d4d1386a7d2a2b893405912a75d94d779022..3ab49b4b748b848850b3fe5f24223c3d991b0705 100644 (file)
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -26,7 +26,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.140 2005-05-25 21:59:05 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.141 2005-05-25 22:06:24 guy Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -822,7 +822,16 @@ static int clnp_print (const u_int8_t *pptr, u_int length)
                     printf("%s %s",
                            tok2str(clnp_option_sr_rr_values,"Unknown",*tptr),
                            tok2str(clnp_option_sr_rr_string_values,"Unknown Option %u",op));
-                    nsap_offset=*(tptr+1)-1; /* offset to nsap list */
+                    nsap_offset=*(tptr+1);
+                    if (nsap_offset == 0) {
+                            printf(" Bad NSAP offset (0)");
+                            break;
+                    }
+                    nsap_offset-=1; /* offset to nsap list */
+                    if (nsap_offset > tlen) {
+                            printf(" Bad NSAP offset (past end of option)");
+                            break;
+                    }
                     tptr+=nsap_offset;
                     tlen-=nsap_offset;
                     while (tlen > 0) {