From 31272f2dd4aee1d14f5dfdff511a037d1a070ba8 Mon Sep 17 00:00:00 2001
From: fenner <fenner@FreeBSD.org>
Date: Tue, 13 Jan 2004 17:28:06 +0000
Subject: Commit vendor fix for l2tp vulnerability reported by Przemyslaw
 Frasunek on bugtraq list.

---
 contrib/tcpdump/print-l2tp.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/contrib/tcpdump/print-l2tp.c b/contrib/tcpdump/print-l2tp.c
index 2e3c090..a765c03 100644
--- a/contrib/tcpdump/print-l2tp.c
+++ b/contrib/tcpdump/print-l2tp.c
@@ -476,8 +476,17 @@ l2tp_avp_print(const u_char *dat, int length)
 	TCHECK(*ptr);	/* Flags & Length */
 	len = EXTRACT_16BITS(ptr) & L2TP_AVP_HDR_LEN_MASK;
 
-	/* If it is not long enough to decode the entire AVP, we'll 
-	   abandon. */
+	/* If it is not long enough to contain the header, we'll give up. */
+	if (len < 6)
+		goto trunc;
+
+	/* If it goes past the end of the remaining length of the packet,
+	   we'll give up. */
+	if (len > (u_int)length)
+		goto trunc;
+
+	/* If it goes past the end of the remaining length of the captured
+	   data, we'll give up. */
 	TCHECK2(*ptr, len);
 	/* After this point, no need to worry about truncation */
 
-- 
cgit v1.1