1 files changed, 11 insertions, 16 deletions

diff --git a/src/decode-pppoe.c b/src/decode-pppoe.c
index f884085..eb5e6ac 100644
--- a/src/decode-pppoe.c
+++ b/src/decode-pppoe.c
@@ -80,11 +80,6 @@ int DecodePPPOEDiscovery(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
             return TM_ECODE_OK;
     }
 
-    /* parse any tags we have in the packet */
-
-    uint32_t tag_length = 0;
-    PPPOEDiscoveryTag* pppoedt = (PPPOEDiscoveryTag*) (p->pppoedh +  PPPOE_DISCOVERY_HEADER_MIN_LEN);
-
     uint32_t pppoe_length = SCNtohs(p->pppoedh->pppoe_length);
     uint32_t packet_length = len - PPPOE_DISCOVERY_HEADER_MIN_LEN ;
 
@@ -97,29 +92,29 @@ int DecodePPPOEDiscovery(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
         return TM_ECODE_OK;
     }
 
-    while (pppoedt < (PPPOEDiscoveryTag*) (pkt + (len - sizeof(PPPOEDiscoveryTag))) && pppoe_length >=4 && packet_length >=4)
-    {
 #ifdef DEBUG
+    /* parse any tags we have in the packet */
+
+    uint32_t tag_length = 0;
+    const uint8_t *pkt_pppoedt = pkt + PPPOE_DISCOVERY_HEADER_MIN_LEN;
+
+    // packet_length >= pppoe_length so we have enough data
+    while (pppoe_length >= sizeof(PPPOEDiscoveryTag)) {
+        PPPOEDiscoveryTag *pppoedt = (PPPOEDiscoveryTag *)pkt_pppoedt;
         uint16_t tag_type = SCNtohs(pppoedt->pppoe_tag_type);
-#endif
+        // upgrade to u32 to avoid u16 overflow
         tag_length = SCNtohs(pppoedt->pppoe_tag_length);
 
         SCLogDebug ("PPPoE Tag type %x, length %"PRIu32, tag_type, tag_length);
 
         if (pppoe_length >= (4 + tag_length)) {
             pppoe_length -= (4 + tag_length);
+            pkt_pppoedt = pkt_pppoedt + (4 + tag_length);
         } else {
             pppoe_length = 0; // don't want an underflow
         }
-
-        if (packet_length >= 4 + tag_length) {
-            packet_length -= (4 + tag_length);
-        } else {
-            packet_length = 0; // don't want an underflow
-        }
-
-        pppoedt = pppoedt + (4 + tag_length);
     }
+#endif
 
     return TM_ECODE_OK;
 }