From: Guy Harris <guy@alum.mit.edu>
Date: Mon, 9 Jul 2018 16:42:17 +0000 (-0700)
Subject: Clean up dissection.
X-Git-Tag: tcpdump-4.99-bp~1113
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/154b32ede55d03fb0e3c19ad45349bdb793b9e9f

Clean up dissection.

Don't use pointers to anything other than octets; there is no guarantee
that the L2TP packet is aligned on a 2-byte or 4-byte boundary, and
there is no need to pretend that we have pointers to aligned values -
we're using the EXTRACT_ macros, which will fetch multi-byte integral
values regardless of the alignment of the pointer.

This also fixes some cases where we were advancing 2 bytes after
processing a 1-byte field - we were incrementing a uint16_t * by 1,
which means advancing it by 2 bytes, and we're now incrementing the
uint8_t * by 1.

Don't cast a 4-byte integer to u_long - EXTRACT_BE_U_4() is guaranteed
to return something printable with %u.

Don't fetch fields dividded into "high" and "low" portions 2 bytes at a
time and reassemble them; the only reason they're divided into "high"
and "low" partitions in the ASCII-art diagrams in RFC 2661 is that those
diagrams tend to show packets in the form of 32-bit words, and those
fields aren't aligned on 32-bit word boundaries, so we can just fetch
those fields with EXTRACT_BE_U_4().

Don't print a sequence of AVPs by recursion; iterate instead.

Add some RFC numbers while we're at it.
---

diff --git a/print-l2tp.c b/print-l2tp.c
index 9dd24b20..6e7804ab 100644
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -23,6 +23,8 @@
 
 /* \summary: Layer Two Tunneling Protocol (L2TP) printer */
 
+/* specification: RFC 2661 */
+
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@@ -142,7 +144,7 @@ static const struct tok l2tp_msgtype2str[] = {
 #define L2TP_AVP_PRIVATE_GRP_ID		37 /* Private Group ID */
 #define L2TP_AVP_RX_CONN_SPEED		38 /* (Rx) Connect Speed */
 #define L2TP_AVP_SEQ_REQUIRED 		39 /* Sequencing Required */
-#define L2TP_AVP_PPP_DISCON_CC		46 /* PPP Disconnect Cause Code */
+#define L2TP_AVP_PPP_DISCON_CC		46 /* PPP Disconnect Cause Code - RFC 3145 */
 
 static const struct tok l2tp_avp2str[] = {
 	{ L2TP_AVP_MSGTYPE,		"MSGTYPE" },
@@ -283,15 +285,15 @@ print_octets(netdissect_options *ndo, const u_char *dat, u_int length)
 }
 
 static void
-print_16bits_val(netdissect_options *ndo, const uint16_t *dat)
+print_16bits_val(netdissect_options *ndo, const uint8_t *dat)
 {
 	ND_PRINT("%u", EXTRACT_BE_U_2(dat));
 }
 
 static void
-print_32bits_val(netdissect_options *ndo, const uint32_t *dat)
+print_32bits_val(netdissect_options *ndo, const uint8_t *dat)
 {
-	ND_PRINT("%lu", (u_long) EXTRACT_BE_U_4(dat));
+	ND_PRINT("%u", EXTRACT_BE_U_4(dat));
 }
 
 /***********************************/
@@ -300,28 +302,24 @@ print_32bits_val(netdissect_options *ndo, const uint32_t *dat)
 static void
 l2tp_msgtype_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-
 	if (length < 2) {
 		ND_PRINT("AVP too short");
 		return;
 	}
 	ND_PRINT("%s", tok2str(l2tp_msgtype2str, "MSGTYPE-#%u",
-	    EXTRACT_BE_U_2(ptr)));
+	    EXTRACT_BE_U_2(dat)));
 }
 
 static void
 l2tp_result_code_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-
 	/* Result Code */
 	if (length < 2) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	ND_PRINT("%u", EXTRACT_BE_U_2(ptr));
-	ptr++;
+	ND_PRINT("%u", EXTRACT_BE_U_2(dat));
+	dat += 2;
 	length -= 2;
 
 	/* Error Code (opt) */
@@ -331,19 +329,19 @@ l2tp_result_code_print(netdissect_options *ndo, const u_char *dat, u_int length)
 		ND_PRINT(" AVP too short");
 		return;
 	}
-	ND_PRINT("/%u", EXTRACT_BE_U_2(ptr));
-	ptr++;
+	ND_PRINT("/%u", EXTRACT_BE_U_2(dat));
+	dat += 2;
 	length -= 2;
 
 	/* Error Message (opt) */
 	if (length == 0)
 		return;
 	ND_PRINT(" ");
-	print_string(ndo, (const u_char *)ptr, length);
+	print_string(ndo, dat, length);
 }
 
 static void
-l2tp_proto_ver_print(netdissect_options *ndo, const uint16_t *dat, u_int length)
+l2tp_proto_ver_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
 	if (length < 2) {
 		ND_PRINT("AVP too short");
@@ -356,16 +354,14 @@ l2tp_proto_ver_print(netdissect_options *ndo, const uint16_t *dat, u_int length)
 static void
 l2tp_framing_cap_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint32_t *ptr = (const uint32_t *)dat;
-
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_FRAMING_CAP_ASYNC_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_FRAMING_CAP_ASYNC_MASK) {
 		ND_PRINT("A");
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_FRAMING_CAP_SYNC_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_FRAMING_CAP_SYNC_MASK) {
 		ND_PRINT("S");
 	}
 }
@@ -373,16 +369,14 @@ l2tp_framing_cap_print(netdissect_options *ndo, const u_char *dat, u_int length)
 static void
 l2tp_bearer_cap_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint32_t *ptr = (const uint32_t *)dat;
-
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_BEARER_CAP_ANALOG_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_BEARER_CAP_ANALOG_MASK) {
 		ND_PRINT("A");
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_BEARER_CAP_DIGITAL_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_BEARER_CAP_DIGITAL_MASK) {
 		ND_PRINT("D");
 	}
 }
@@ -394,7 +388,7 @@ l2tp_q931_cc_print(netdissect_options *ndo, const u_char *dat, u_int length)
 		ND_PRINT("AVP too short");
 		return;
 	}
-	print_16bits_val(ndo, (const uint16_t *)dat);
+	print_16bits_val(ndo, dat);
 	ND_PRINT(", %02x", EXTRACT_U_1(dat + 2));
 	dat += 3;
 	length -= 3;
@@ -407,16 +401,14 @@ l2tp_q931_cc_print(netdissect_options *ndo, const u_char *dat, u_int length)
 static void
 l2tp_bearer_type_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint32_t *ptr = (const uint32_t *)dat;
-
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_BEARER_TYPE_ANALOG_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_BEARER_TYPE_ANALOG_MASK) {
 		ND_PRINT("A");
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_BEARER_TYPE_DIGITAL_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_BEARER_TYPE_DIGITAL_MASK) {
 		ND_PRINT("D");
 	}
 }
@@ -424,16 +416,14 @@ l2tp_bearer_type_print(netdissect_options *ndo, const u_char *dat, u_int length)
 static void
 l2tp_framing_type_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint32_t *ptr = (const uint32_t *)dat;
-
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_FRAMING_TYPE_ASYNC_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_FRAMING_TYPE_ASYNC_MASK) {
 		ND_PRINT("A");
 	}
-	if (EXTRACT_BE_U_4(ptr) &  L2TP_FRAMING_TYPE_SYNC_MASK) {
+	if (EXTRACT_BE_U_4(dat) &  L2TP_FRAMING_TYPE_SYNC_MASK) {
 		ND_PRINT("S");
 	}
 }
@@ -447,125 +437,109 @@ l2tp_packet_proc_delay_print(netdissect_options *ndo)
 static void
 l2tp_proxy_auth_type_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-
 	if (length < 2) {
 		ND_PRINT("AVP too short");
 		return;
 	}
 	ND_PRINT("%s", tok2str(l2tp_authentype2str,
-			     "AuthType-#%u", EXTRACT_BE_U_2(ptr)));
+			     "AuthType-#%u", EXTRACT_BE_U_2(dat)));
 }
 
 static void
 l2tp_proxy_auth_id_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-
 	if (length < 2) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	ND_PRINT("%u", EXTRACT_BE_U_2(ptr) & L2TP_PROXY_AUTH_ID_MASK);
+	ND_PRINT("%u", EXTRACT_BE_U_2(dat) & L2TP_PROXY_AUTH_ID_MASK);
 }
 
 static void
 l2tp_call_errors_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-	uint16_t val_h, val_l;
+	uint32_t val;
 
 	if (length < 2) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	ptr++;		/* skip "Reserved" */
+	dat += 2;	/* skip "Reserved" */
 	length -= 2;
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	ND_PRINT("CRCErr=%u ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("CRCErr=%u ", val);
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	ND_PRINT("FrameErr=%u ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("FrameErr=%u ", val);
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	ND_PRINT("HardOver=%u ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("HardOver=%u ", val);
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	ND_PRINT("BufOver=%u ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("BufOver=%u ", val);
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	ND_PRINT("Timeout=%u ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("Timeout=%u ", val);
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++;
-	ND_PRINT("AlignErr=%u ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("AlignErr=%u ", val);
 }
 
 static void
 l2tp_accm_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-	uint16_t val_h, val_l;
+	uint32_t val;
 
 	if (length < 2) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	ptr++;		/* skip "Reserved" */
+	dat += 2;	/* skip "Reserved" */
 	length -= 2;
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++; length -= 2;
-	ND_PRINT("send=%08x ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("send=%08x ", val);
 
 	if (length < 4) {
 		ND_PRINT("AVP too short");
 		return;
 	}
-	val_h = EXTRACT_BE_U_2(ptr); ptr++;
-	val_l = EXTRACT_BE_U_2(ptr); ptr++;
-	ND_PRINT("recv=%08x ", (val_h<<16) + val_l);
+	val = EXTRACT_BE_U_4(dat); dat += 4; length -= 4;
+	ND_PRINT("recv=%08x ", val);
 }
 
 static void
 l2tp_ppp_discon_cc_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
-	const uint16_t *ptr = (const uint16_t *)dat;
-
 	if (length < 5) {
 		ND_PRINT("AVP too short");
 		return;
@@ -580,32 +554,27 @@ l2tp_ppp_discon_cc_print(netdissect_options *ndo, const u_char *dat, u_int lengt
 	length -= 2;
 	/* Direction */
 	ND_PRINT("%s", tok2str(l2tp_cc_direction2str,
-			     "Direction-#%u", EXTRACT_U_1(ptr)));
-	ptr++;
+			     "Direction-#%u", EXTRACT_U_1(dat)));
+	dat++;
 	length--;
 
 	if (length != 0) {
 		ND_PRINT(" ");
-		print_string(ndo, (const u_char *)ptr, length);
+		print_string(ndo, (const u_char *)dat, length);
 	}
 }
 
-static void
-l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
+static u_int
+l2tp_avp_print(netdissect_options *ndo, const u_char *dat, u_int length)
 {
 	u_int len;
-	const uint16_t *ptr = (const uint16_t *)dat;
 	uint16_t attr_type;
 	int hidden = FALSE;
 
-	if (length <= 0) {
-		return;
-	}
-
 	ND_PRINT(" ");
 
-	ND_TCHECK_2(ptr);	/* Flags & Length */
-	len = EXTRACT_BE_U_2(ptr) & L2TP_AVP_HDR_LEN_MASK;
+	ND_TCHECK_2(dat);	/* Flags & Length */
+	len = EXTRACT_BE_U_2(dat) & L2TP_AVP_HDR_LEN_MASK;
 
 	/* If it is not long enough to contain the header, we'll give up. */
 	if (len < 6)
@@ -618,7 +587,7 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 
 	/* If it goes past the end of the remaining length of the captured
 	   data, we'll give up. */
-	ND_TCHECK_LEN(ptr, len);
+	ND_TCHECK_LEN(dat, len);
 
 	/*
 	 * After this point, we don't need to check whether we go past
@@ -626,26 +595,26 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 	 * check whether we go past the end of the AVP.
 	 */
 
-	if (EXTRACT_BE_U_2(ptr) & L2TP_AVP_HDR_FLAG_MANDATORY) {
+	if (EXTRACT_BE_U_2(dat) & L2TP_AVP_HDR_FLAG_MANDATORY) {
 		ND_PRINT("*");
 	}
-	if (EXTRACT_BE_U_2(ptr) & L2TP_AVP_HDR_FLAG_HIDDEN) {
+	if (EXTRACT_BE_U_2(dat) & L2TP_AVP_HDR_FLAG_HIDDEN) {
 		hidden = TRUE;
 		ND_PRINT("?");
 	}
-	ptr++;
+	dat += 2;
 
-	if (EXTRACT_BE_U_2(ptr)) {
+	if (EXTRACT_BE_U_2(dat)) {
 		/* Vendor Specific Attribute */
-	        ND_PRINT("VENDOR%04x:", EXTRACT_BE_U_2(ptr)); ptr++;
-		ND_PRINT("ATTR%04x", EXTRACT_BE_U_2(ptr)); ptr++;
+	        ND_PRINT("VENDOR%04x:", EXTRACT_BE_U_2(dat)); dat += 2;
+		ND_PRINT("ATTR%04x", EXTRACT_BE_U_2(dat)); dat += 2;
 		ND_PRINT("(");
-		print_octets(ndo, (const u_char *)ptr, len-6);
+		print_octets(ndo, dat, len-6);
 		ND_PRINT(")");
 	} else {
 		/* IETF-defined Attributes */
-		ptr++;
-		attr_type = EXTRACT_BE_U_2(ptr); ptr++;
+		dat += 2;
+		attr_type = EXTRACT_BE_U_2(dat); dat += 2;
 		ND_PRINT("%s", tok2str(l2tp_avp2str, "AVP-#%u", attr_type));
 		ND_PRINT("(");
 		if (hidden) {
@@ -653,26 +622,26 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 		} else {
 			switch (attr_type) {
 			case L2TP_AVP_MSGTYPE:
-				l2tp_msgtype_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_msgtype_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_RESULT_CODE:
-				l2tp_result_code_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_result_code_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_PROTO_VER:
-				l2tp_proto_ver_print(ndo, ptr, len-6);
+				l2tp_proto_ver_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_FRAMING_CAP:
-				l2tp_framing_cap_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_framing_cap_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_BEARER_CAP:
-				l2tp_bearer_cap_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_bearer_cap_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_TIE_BREAKER:
 				if (len-6 < 8) {
 					ND_PRINT("AVP too short");
 					break;
 				}
-				print_octets(ndo, (const u_char *)ptr, 8);
+				print_octets(ndo, dat, 8);
 				break;
 			case L2TP_AVP_FIRM_VER:
 			case L2TP_AVP_ASSND_TUN_ID:
@@ -682,7 +651,7 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 					ND_PRINT("AVP too short");
 					break;
 				}
-				print_16bits_val(ndo, ptr);
+				print_16bits_val(ndo, dat);
 				break;
 			case L2TP_AVP_HOST_NAME:
 			case L2TP_AVP_VENDOR_NAME:
@@ -691,7 +660,7 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 			case L2TP_AVP_SUB_ADDRESS:
 			case L2TP_AVP_PROXY_AUTH_NAME:
 			case L2TP_AVP_PRIVATE_GRP_ID:
-				print_string(ndo, (const u_char *)ptr, len-6);
+				print_string(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_CHALLENGE:
 			case L2TP_AVP_INI_RECV_LCP:
@@ -700,17 +669,17 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 			case L2TP_AVP_PROXY_AUTH_CHAL:
 			case L2TP_AVP_PROXY_AUTH_RESP:
 			case L2TP_AVP_RANDOM_VECTOR:
-				print_octets(ndo, (const u_char *)ptr, len-6);
+				print_octets(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_Q931_CC:
-				l2tp_q931_cc_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_q931_cc_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_CHALLENGE_RESP:
 				if (len-6 < 16) {
 					ND_PRINT("AVP too short");
 					break;
 				}
-				print_octets(ndo, (const u_char *)ptr, 16);
+				print_octets(ndo, dat, 16);
 				break;
 			case L2TP_AVP_CALL_SER_NUM:
 			case L2TP_AVP_MINIMUM_BPS:
@@ -722,33 +691,33 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 					ND_PRINT("AVP too short");
 					break;
 				}
-				print_32bits_val(ndo, (const uint32_t *)ptr);
+				print_32bits_val(ndo, dat);
 				break;
 			case L2TP_AVP_BEARER_TYPE:
-				l2tp_bearer_type_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_bearer_type_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_FRAMING_TYPE:
-				l2tp_framing_type_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_framing_type_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_PACKET_PROC_DELAY:
 				l2tp_packet_proc_delay_print(ndo);
 				break;
 			case L2TP_AVP_PROXY_AUTH_TYPE:
-				l2tp_proxy_auth_type_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_proxy_auth_type_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_PROXY_AUTH_ID:
-				l2tp_proxy_auth_id_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_proxy_auth_id_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_CALL_ERRORS:
-				l2tp_call_errors_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_call_errors_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_ACCM:
-				l2tp_accm_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_accm_print(ndo, dat, len-6);
 				break;
 			case L2TP_AVP_SEQ_REQUIRED:
 				break;	/* No Attribute Value */
 			case L2TP_AVP_PPP_DISCON_CC:
-				l2tp_ppp_discon_cc_print(ndo, (const u_char *)ptr, len-6);
+				l2tp_ppp_discon_cc_print(ndo, dat, len-6);
 				break;
 			default:
 				break;
@@ -757,11 +726,11 @@ l2tp_avp_print(netdissect_options *ndo, const u_char *dat, int length)
 		ND_PRINT(")");
 	}
 
-	l2tp_avp_print(ndo, dat+len, length-len);
-	return;
+	return (len);
 
  trunc:
 	nd_print_trunc(ndo);
+	return (0);
 }
 
 
@@ -867,7 +836,22 @@ l2tp_print(netdissect_options *ndo, const u_char *dat, u_int length)
 		if (length - cnt == 0) {
 			ND_PRINT(" ZLB");
 		} else {
-			l2tp_avp_print(ndo, ptr, length - cnt);
+			/*
+			 * Print AVPs.
+			 */
+			while (length - cnt != 0) {
+				u_int avp_length;
+
+				avp_length = l2tp_avp_print(ndo, ptr, length - cnt);
+				if (avp_length == 0) {
+					/*
+					 * Truncated.
+					 */
+					break;
+				}
+				cnt += avp_length;
+				ptr += avp_length;
+			}
 		}
 	} else {
 		ND_PRINT(" {");