From 2ce9e4d7ad6def2a8e962bdf2b90633e396dd9cf Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 25 Mar 2015 16:48:48 +0100
Subject: [PATCH 3/4] Fix for CVE-2015-2154

(cherry picked from commit 1a4e86d0a273cc81b3236d9f8a5f47b586fec84c)

See: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
---
 print-isoclns.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/print-isoclns.c b/print-isoclns.c
index 8552d02..f870dce 100644
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -3092,9 +3092,15 @@ osi_print_cksum (const u_int8_t *pptr, u_int16_t checksum,
                     u_int checksum_offset, u_int length)
 {
         u_int16_t calculated_checksum;
-
-        /* do not attempt to verify the checksum if it is zero */
-        if (!checksum) {
+        /* do not attempt to verify the checksum if it is zero,
+         * if the total length is nonsense,
+         * if the offset is nonsense,
+         * or the base pointer is not sane
+         */
+        if (!checksum
+            || length > snaplen
+            || checksum_offset > snaplen
+            || checksum_offset > length) {
                 printf("(unverified)");
         } else {
                 calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
-- 
2.3.4