From: guy Date: Wed, 20 Apr 2005 21:50:16 +0000 (+0000) Subject: If the length is specified, check to make sure it doesn't go past the X-Git-Tag: tcpdump-3.9.1~126 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/d46c9d0fbe93815f52e2e3269e83e38346b823a6?hp=768e7dfaa6bf0b2a1c20c99f39a49d4743e7ac9d If the length is specified, check to make sure it doesn't go past the end of the packet, and isn't shorter than the header length. Control messages have to have lengths. --- diff --git a/print-l2tp.c b/print-l2tp.c index bd180ff2..31ff0621 100644 --- a/print-l2tp.c +++ b/print-l2tp.c @@ -23,7 +23,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.17.2.1 2005-04-20 21:36:27 guy Exp $"; + "@(#) $Header: /tcpdump/master/tcpdump/print-l2tp.c,v 1.17.2.2 2005-04-20 21:50:16 guy Exp $"; #endif #ifdef HAVE_CONFIG_H @@ -688,7 +688,22 @@ l2tp_print(const u_char *dat, u_int length) cnt += (2 + pad); } + if (flag_l) { + if (length < l2tp_len) { + printf(" Length %u larger than packet", l2tp_len); + return; + } + length = l2tp_len; + } + if (length < cnt) { + printf(" Length %u smaller than header length", length); + return; + } if (flag_t) { + if (!flag_l) { + printf(" No length"); + return; + } if (length - cnt == 0) { printf(" ZLB"); } else {