From 0c02227c588f7cd074891a78237335eb86aa78bf Mon Sep 17 00:00:00 2001
From: yangwei <yangwei@geedgenetworks.com>
Date: Sun, 23 Jul 2023 20:45:16 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9E=20fix(l2tp=E5=81=8F=E7=A7=BB?=
 =?UTF-8?q?=E9=95=BF=E5=BA=A6=E8=AE=A1=E7=AE=97=E6=97=B6=EF=BC=8C=E5=A2=9E?=
 =?UTF-8?q?=E5=8A=A0=E9=95=BF=E5=BA=A6=E5=88=A4=E6=96=AD):?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/MESA_jump_layer.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/MESA_jump_layer.cpp b/src/MESA_jump_layer.cpp
index 0803aa8..f91f1c0 100644
--- a/src/MESA_jump_layer.cpp
+++ b/src/MESA_jump_layer.cpp
@@ -389,6 +389,10 @@ static int __mjl_parse_l2tpv2_hdr(const struct l2tp_hdr_v2 *pl2tphdrv2, struct l
 
 	if(pl2tphdrv2->offset_present){
 		offset_size = ntohs(*((unsigned short *)ptr));
+		if(offset_size > 1460)
+		{
+			return -1;
+		}
 		ptr += sizeof(short);	 /* 2 byte fix len offset size */
 		ptr += offset_size;  /* var bytes offset value length */
 	}