From 5d000b07738ee13d347d721d2492f739b212fdf5 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sun, 14 Feb 2021 11:35:40 +0100
Subject: [PATCH] L2TP: Add a bounds check

Check if the offset padding octets are in the packet buffer.
---
 print-l2tp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/print-l2tp.c b/print-l2tp.c
index 184ff752..024705f8 100644
--- a/print-l2tp.c
+++ b/print-l2tp.c
@@ -807,6 +807,8 @@ l2tp_print(netdissect_options *ndo, const u_char *dat, u_int length)
 
 	if (flag_o) {	/* Offset Size */
 		pad =  GET_BE_U_2(ptr);
+		/* Offset padding octets in packet buffer? */
+		ND_TCHECK_LEN(ptr + 2, pad);
 		ptr += (2 + pad);
 		cnt += (2 + pad);
 	}