Clean up option-walking code.

Loop as long as the remaining option list length is not zero, even if
that means we try to process the remaining options if the remaining
length is 1, so that if the option length is bogus, we'll report it.

Check for a valid ESIS_OPTION_ES_CONF_TIME length - it's supposed to be
2.

diff --git a/print-isoclns.c b/print-isoclns.c
index 7e2bba70a4024af63c92a97c60a218c934c7d8b0..5ab0ad733fec44f59af7d48ca303fa56ab05983a 100644 (file)
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -1179,15 +1179,15 @@ esis_print(const u_int8_t *pptr, u_int length)
        }
 
         /* now walk the options */
-        while (li >= 2) {
+        while (li != 0) {
             u_int op, opli;
             const u_int8_t *tptr;
             
-            TCHECK2(*pptr, 2);
             if (li < 2) {
                 printf(", bad opts/li");
                 return;
             }
+            TCHECK2(*pptr, 2);
             op = *pptr++;
             opli = *pptr++;
             li -= 2;
@@ -1206,8 +1206,11 @@ esis_print(const u_int8_t *pptr, u_int length)
             switch (op) {
 
             case ESIS_OPTION_ES_CONF_TIME:
-                TCHECK2(*pptr, 2);
-                printf("%us", EXTRACT_16BITS(tptr));
+                if (opli == 2) {
+                    TCHECK2(*pptr, 2);
+                    printf("%us", EXTRACT_16BITS(tptr));
+                } else
+                    printf("(bad length)");
                 break;
 
             case ESIS_OPTION_PROTOCOLS: