diff options
| author | fenner <fenner@FreeBSD.org> | 2004-01-13 17:28:06 +0000 |
|---|---|---|
| committer | fenner <fenner@FreeBSD.org> | 2004-01-13 17:28:06 +0000 |
| commit | 31272f2dd4aee1d14f5dfdff511a037d1a070ba8 (patch) | |
| tree | 34f4a2ae1913d286629e1e6cdbec74bcff712877 /contrib/tcpdump/print-l2tp.c | |
| parent | 5f76ebca43302f98858e83a6212d9c610e939bad (diff) | |
| download | FreeBSD-src-31272f2dd4aee1d14f5dfdff511a037d1a070ba8.zip FreeBSD-src-31272f2dd4aee1d14f5dfdff511a037d1a070ba8.tar.gz | |
Commit vendor fix for l2tp vulnerability reported by
Przemyslaw Frasunek on bugtraq list.
Diffstat (limited to 'contrib/tcpdump/print-l2tp.c')
| -rw-r--r-- | contrib/tcpdump/print-l2tp.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/contrib/tcpdump/print-l2tp.c b/contrib/tcpdump/print-l2tp.c index 2e3c090..a765c03 100644 --- a/contrib/tcpdump/print-l2tp.c +++ b/contrib/tcpdump/print-l2tp.c @@ -476,8 +476,17 @@ l2tp_avp_print(const u_char *dat, int length) TCHECK(*ptr); /* Flags & Length */ len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK; - /* If it is not long enough to decode the entire AVP, we'll - abandon. */ + /* If it is not long enough to contain the header, we'll give up. */ + if (len < 6) + goto trunc; + + /* If it goes past the end of the remaining length of the packet, + we'll give up. */ + if (len > (u_int)length) + goto trunc; + + /* If it goes past the end of the remaining length of the captured + data, we'll give up. */ TCHECK2(*ptr, len); /* After this point, no need to worry about truncation */ |
