In TTEST2(), check to make sure the "l" argument isn't so large that

"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.

Obtained from:	tcpdump.org CVS

1 files changed, 10 insertions, 2 deletions

diff --git a/contrib/tcpdump/interface.h b/contrib/tcpdump/interface.h
index 2459764..af069cb 100644
--- a/contrib/tcpdump/interface.h
+++ b/contrib/tcpdump/interface.h
@@ -132,8 +132,16 @@ extern int snaplen;
 extern const u_char *packetp;
 extern const u_char *snapend;
 
-/* True if  "l" bytes of "var" were captured */
-#define TTEST2(var, l) ((u_char *)&(var) <= snapend - (l))
+/*
+ * True if  "l" bytes of "var" were captured.
+ *
+ * The "snapend - (l) <= snapend" checks to make sure "l" isn't so large
+ * that "snapend - (l)" underflows.
+ *
+ * The check is for <= rather than < because "l" might be 0.
+ */
+#define TTEST2(var, l) (snapend - (l) <= snapend && \
+			(const u_char *)&(var) <= snapend - (l))
 
 /* True if "var" was captured */
 #define TTEST(var) TTEST2(var, sizeof(var))