From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 14 Oct 2011 03:03:29 +0000 (-0700)
Subject: Clean up option-walking code.
X-Git-Tag: tcpdump-4.2.1~14
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/dcab638d4ccc7530c224d95e01b119b3b4105221

Clean up option-walking code.

Loop as long as the remaining option list length is not zero, even if
that means we try to process the remaining options if the remaining
length is 1, so that if the option length is bogus, we'll report it.

Check for a valid ESIS_OPTION_ES_CONF_TIME length - it's supposed to be
2.
---

diff --git a/print-isoclns.c b/print-isoclns.c
index 7e2bba70..5ab0ad73 100644
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -1179,15 +1179,15 @@ esis_print(const u_int8_t *pptr, u_int length)
 	}
 
         /* now walk the options */
-        while (li >= 2) {
+        while (li != 0) {
             u_int op, opli;
             const u_int8_t *tptr;
             
-            TCHECK2(*pptr, 2);
             if (li < 2) {
                 printf(", bad opts/li");
                 return;
             }
+            TCHECK2(*pptr, 2);
             op = *pptr++;
             opli = *pptr++;
             li -= 2;
@@ -1206,8 +1206,11 @@ esis_print(const u_int8_t *pptr, u_int length)
             switch (op) {
 
             case ESIS_OPTION_ES_CONF_TIME:
-                TCHECK2(*pptr, 2);
-                printf("%us", EXTRACT_16BITS(tptr));
+                if (opli == 2) {
+                    TCHECK2(*pptr, 2);
+                    printf("%us", EXTRACT_16BITS(tptr));
+                } else
+                    printf("(bad length)");
                 break;
 
             case ESIS_OPTION_PROTOCOLS: