If the length is specified, check to make sure it doesn't go past the

end of the packet, and isn't shorter than the header length.

Control messages have to have lengths.

diff --git a/print-l2tp.c b/print-l2tp.c
index 29cb4e23f79036864fa1a46ae9b1861374a29424..dfc65582c2c26b4f772776a7e5a4699bcdb9f600 100644 (file)
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.18 2005-04-20 21:36:09 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.19 2005-04-20 21:49:56 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -688,7 +688,22 @@ l2tp_print(const u_char *dat, u_int length)
                cnt += (2 + pad);
        }
 
+       if (flag_l) {
+               if (length < l2tp_len) {
+                       printf(" Length %u larger than packet", l2tp_len);
+                       return;
+               }
+               length = l2tp_len;
+       }
+       if (length < cnt) {
+               printf(" Length %u smaller than header length", length);
+               return;
+       }
        if (flag_t) {
+               if (!flag_l) {
+                       printf(" No length");
+                       return;
+               }
                if (length - cnt == 0) {
                        printf(" ZLB");
                } else {