Index: parsenfsfh.c
===================================================================
RCS file: /tcpdump/master/tcpdump/parsenfsfh.c,v
retrieving revision 1.18
diff -u -r1.18 parsenfsfh.c
--- parsenfsfh.c	1 Jul 2000 03:39:00 -0000	1.18
+++ parsenfsfh.c	10 Mar 2003 20:36:47 -0000
@@ -378,7 +378,7 @@
 
 	    /* Save the actual handle, so it can be display with -u */
 	    for (i = 0; i < 32; i++)
-	    	(void)sprintf(&(fsidp->Opaque_Handle[i*2]), "%.2X", fhp[i]);
+	    	(void)snprintf(&(fsidp->Opaque_Handle[i*2]), 3, "%.2X", fhp[i]);
 
 	    fsidp->fsid_code = 0;
 	    fsidp->Fsid_dev.Minor = 257;
Index: print-bgp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-bgp.c,v
retrieving revision 1.21
diff -u -r1.21 print-bgp.c
--- print-bgp.c	5 Dec 2000 05:48:35 -0000	1.21
+++ print-bgp.c	10 Mar 2003 20:36:48 -0000
@@ -466,11 +466,19 @@
 			switch (af) {
 			case AFNUM_INET:
 				advance = decode_prefix4(p, buf, sizeof(buf));
+				if (advance < 0) {
+					p = dat + len;
+					break;
+				}
 				printf(" %s", buf);
 				break;
 #ifdef INET6
 			case AFNUM_INET6:
 				advance = decode_prefix6(p, buf, sizeof(buf));
+				if (advance < 0) {
+					p = dat + len;
+					break;
+				}
 				printf(" %s", buf);
 				break;
 #endif
@@ -502,11 +510,19 @@
 			switch (af) {
 			case AFNUM_INET:
 				advance = decode_prefix4(p, buf, sizeof(buf));
+				if (advance < 0) {
+					p = dat + len;
+					break;
+				}
 				printf(" %s", buf);
 				break;
 #ifdef INET6
 			case AFNUM_INET6:
 				advance = decode_prefix6(p, buf, sizeof(buf));
+				if (advance < 0) {
+					p = dat + len;
+					break;
+				}
 				printf(" %s", buf);
 				break;
 #endif
@@ -592,6 +608,7 @@
 		printf(" (Withdrawn routes: %d bytes)", len);
 #else	
 		char buf[MAXHOSTNAMELEN + 100];
+		int wpfx;
 
 		TCHECK2(p[2], len);
  		i = 2;
@@ -599,7 +616,10 @@
 		printf(" (Withdrawn routes:");
 			
 		while(i < 2 + len) {
-			i += decode_prefix4(&p[i], buf, sizeof(buf));
+			wpfx = decode_prefix4(&p[i], buf, sizeof(buf));
+			if (wpfx < 0)
+				break;
+			i += wpfx;
 			printf(" %s", buf);
 		}
 		printf(")\n");
@@ -660,9 +680,9 @@
 		while (dat + length > p) {
 			char buf[MAXHOSTNAMELEN + 100];
 			i = decode_prefix4(p, buf, sizeof(buf));
-			printf(" %s", buf);
 			if (i < 0)
 				break;
+			printf(" %s", buf);
 			p += i;
 		}
 
Index: print-isakmp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
retrieving revision 1.26
diff -u -r1.26 print-isakmp.c
--- print-isakmp.c	12 Dec 2000 09:20:26 -0000	1.26
+++ print-isakmp.c	10 Mar 2003 20:36:50 -0000
@@ -1033,6 +1033,7 @@
 {
 	u_char *cp;
 	struct isakmp_gen e;
+	u_int item_len;
 
 	cp = (u_char *)ext;
 	safememcpy(&e, ext, sizeof(e));
@@ -1041,7 +1042,16 @@
 		cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
 	else {
 		printf("%s", NPSTR(np));
-		cp += ntohs(e.len);
+		item_len = ntohs(e.len);
+		if (item_len == 0) {
+			/*
+			* We don't want to loop forever processing this
+			* bogus (zero-length) item; return NULL so that
+			* we stop dissecting.
+			*/
+			cp = NULL;
+		} else
+			cp += item_len;
 	}
 	return cp;
 }
@@ -1073,6 +1083,11 @@
 		cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
 		printf(")");
 		depth--;
+
+		if (cp == NULL) {
+			/* Zero-length subitem */
+			return NULL;
+		}
 
 		np = e.np;
 		ext = (struct isakmp_gen *)cp;