From e1999dee5d4d47507b9e1e46812c6cfff9b8b26e Mon Sep 17 00:00:00 2001
From: sam <sam@FreeBSD.org>
Date: Thu, 9 Jun 2005 15:54:42 +0000
Subject: pullup security fix on vendor branch

---
 contrib/tcpdump/print-isoclns.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'contrib/tcpdump')

diff --git a/contrib/tcpdump/print-isoclns.c b/contrib/tcpdump/print-isoclns.c
index 9f2e8c3..444e056 100644
--- a/contrib/tcpdump/print-isoclns.c
+++ b/contrib/tcpdump/print-isoclns.c
@@ -1907,6 +1907,9 @@ static int isis_print (const u_int8_t *p, u_int length)
                tlv_type,
                tlv_len);
 
+        if (tlv_len == 0) /* something is malformed */
+            break;
+
         /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case ISIS_TLV_AREA_ADDR:
@@ -1937,7 +1940,7 @@ static int isis_print (const u_int8_t *p, u_int length)
 	    break;
 
         case ISIS_TLV_ISNEIGH_VARLEN:
-            if (!TTEST2(*tptr, 1))
+            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
 		goto trunctlv;
 	    lan_alen = *tptr++; /* LAN adress length */
             tmp --;
-- 
cgit v1.1