Index: contrib/tcpdump/print-bgp.c
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/print-bgp.c,v
retrieving revision 1.1.1.5
diff -u -d -r1.1.1.5 print-bgp.c
--- contrib/tcpdump/print-bgp.c	31 Mar 2004 09:16:43 -0000	1.1.1.5
+++ contrib/tcpdump/print-bgp.c	30 May 2005 21:03:44 -0000
@@ -1216,6 +1216,8 @@
                             tptr = pptr + len;
                             break;
 			}
+                        if (advance < 0) /* infinite loop protection */
+                            break;
 			tptr += advance;
 		}
 		break;
@@ -1646,9 +1648,10 @@
 		while (dat + length > p) {
 			char buf[MAXHOSTNAMELEN + 100];
 			i = decode_prefix4(p, buf, sizeof(buf));
-			if (i == -1)
+			if (i == -1) {
 				printf("\n\t    (illegal prefix length)");
-			else if (i == -2)
+				break;
+			} else if (i == -2)
 				goto trunc;
 			else {
 				printf("\n\t    %s", buf);
Index: contrib/tcpdump/print-isoclns.c
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/print-isoclns.c,v
retrieving revision 1.12
diff -u -d -r1.12 print-isoclns.c
--- contrib/tcpdump/print-isoclns.c	31 Mar 2004 14:57:24 -0000	1.12
+++ contrib/tcpdump/print-isoclns.c	22 May 2005 21:49:06 -0000
@@ -1508,6 +1508,9 @@
                tlv_type,
                tlv_len);
 
+        if (tlv_len == 0) /* something is malformed */
+            break;
+
         /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case TLV_AREA_ADDR:
@@ -1538,7 +1541,7 @@
 	    break;
 
         case TLV_ISNEIGH_VARLEN:
-            if (!TTEST2(*tptr, 1))
+            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
 		goto trunctlv;
 	    lan_alen = *tptr++; /* LAN adress length */
             tmp --;
Index: contrib/tcpdump/print-ldp.c
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/print-ldp.c,v
retrieving revision 1.1.1.1
diff -u -d -r1.1.1.1 print-ldp.c
--- contrib/tcpdump/print-ldp.c	31 Mar 2004 09:16:56 -0000	1.1.1.1
+++ contrib/tcpdump/print-ldp.c	30 May 2005 21:11:28 -0000
@@ -326,6 +326,9 @@
                EXTRACT_32BITS(&ldp_msg_header->id),
                LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
 
+        if (msg_len == 0) /* infinite loop protection */
+            break;
+
         msg_tptr=tptr+sizeof(struct ldp_msg_header);
         msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
 
Index: contrib/tcpdump/print-rsvp.c
===================================================================
RCS file: /home/ncvs/src/contrib/tcpdump/print-rsvp.c,v
retrieving revision 1.1.1.1
diff -u -d -r1.1.1.1 print-rsvp.c
--- contrib/tcpdump/print-rsvp.c	31 Mar 2004 09:17:07 -0000	1.1.1.1
+++ contrib/tcpdump/print-rsvp.c	21 May 2005 20:13:29 -0000
@@ -875,10 +875,17 @@
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
                 while(obj_tlen >= 4 ) {
-                    printf("\n\t    Subobject Type: %s",
+                    printf("\n\t    Subobject Type: %s, length %u",
                            tok2str(rsvp_obj_xro_values,
                                    "Unknown %u",
-                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
+                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
+                           *(obj_tptr+1));                
+
+                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
+                        printf("\n\t      ERROR: zero length ERO subtype");
+                        break;
+                    }
+
                     switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
                     case RSVP_OBJ_XRO_IPV4:
                         printf(", %s, %s/%u, Flags: [%s]",