From owner-svn-src-stable-9@FreeBSD.ORG  Fri Nov  2 16:57:52 2012
Return-Path: <owner-svn-src-stable-9@FreeBSD.ORG>
Delivered-To: svn-src-stable-9@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 9AE07FBD;
 Fri,  2 Nov 2012 16:57:52 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
 by mx1.freebsd.org (Postfix) with ESMTP id 7FAA48FC08;
 Fri,  2 Nov 2012 16:57:52 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
 by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id qA2Gvq6U063584;
 Fri, 2 Nov 2012 16:57:52 GMT (envelope-from delphij@svn.freebsd.org)
Received: (from delphij@localhost)
 by svn.freebsd.org (8.14.4/8.14.4/Submit) id qA2GvqSY063570;
 Fri, 2 Nov 2012 16:57:52 GMT (envelope-from delphij@svn.freebsd.org)
Message-Id: <201211021657.qA2GvqSY063570@svn.freebsd.org>
From: Xin LI <delphij@FreeBSD.org>
Date: Fri, 2 Nov 2012 16:57:52 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject: svn commit: r242485 - in stable/9: contrib/tcpdump
 usr.sbin/tcpdump/tcpdump
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-9@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for only the 9-stable src tree
 <svn-src-stable-9.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable-9>, 
 <mailto:svn-src-stable-9-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-9>
List-Post: <mailto:svn-src-stable-9@freebsd.org>
List-Help: <mailto:svn-src-stable-9-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-9>, 
 <mailto:svn-src-stable-9-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 16:57:52 -0000

Author: delphij
Date: Fri Nov  2 16:57:51 2012
New Revision: 242485
URL: http://svn.freebsd.org/changeset/base/242485

Log:
  MFC r241235:
  
  MFV tcpdump 4.3.0.

Added:
  stable/9/contrib/tcpdump/print-tipc.c
     - copied unchanged from r241235, head/contrib/tcpdump/print-tipc.c
Modified:
  stable/9/contrib/tcpdump/CHANGES
  stable/9/contrib/tcpdump/CREDITS
  stable/9/contrib/tcpdump/Makefile.in
  stable/9/contrib/tcpdump/VERSION
  stable/9/contrib/tcpdump/configure
  stable/9/contrib/tcpdump/configure.in
  stable/9/contrib/tcpdump/decode_prefix.h
  stable/9/contrib/tcpdump/ethertype.h
  stable/9/contrib/tcpdump/forces.h
  stable/9/contrib/tcpdump/netdissect.h
  stable/9/contrib/tcpdump/print-802_11.c
  stable/9/contrib/tcpdump/print-bgp.c
  stable/9/contrib/tcpdump/print-ether.c
  stable/9/contrib/tcpdump/print-forces.c
  stable/9/contrib/tcpdump/print-icmp6.c
  stable/9/contrib/tcpdump/print-igmp.c
  stable/9/contrib/tcpdump/print-ip.c
  stable/9/contrib/tcpdump/print-ip6opts.c
  stable/9/contrib/tcpdump/print-ldp.c
  stable/9/contrib/tcpdump/print-lldp.c
  stable/9/contrib/tcpdump/print-lwapp.c
  stable/9/contrib/tcpdump/print-ospf6.c
  stable/9/contrib/tcpdump/print-pim.c
  stable/9/contrib/tcpdump/print-pppoe.c
  stable/9/contrib/tcpdump/print-rrcp.c
  stable/9/contrib/tcpdump/tcpdump.1.in
  stable/9/contrib/tcpdump/tcpdump.c
  stable/9/usr.sbin/tcpdump/tcpdump/Makefile
  stable/9/usr.sbin/tcpdump/tcpdump/tcpdump.1
Directory Properties:
  stable/9/contrib/tcpdump/   (props changed)
  stable/9/usr.sbin/tcpdump/   (props changed)

Modified: stable/9/contrib/tcpdump/CHANGES
==============================================================================
--- stable/9/contrib/tcpdump/CHANGES	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/CHANGES	Fri Nov  2 16:57:51 2012	(r242485)
@@ -1,3 +1,19 @@
+Friday  April 3, 2011.  mcr@sandelman.ca.
+  Summary for 4.3.0 tcpdump release
+        fixes for forces: SPARSE data (per RFC 5810)
+        some more test cases added
+        updates to documentation on -l, -U and -w flags.
+        Fix printing of BGP optional headers.
+        Tried to include DLT_PFSYNC support, failed due to headers required.
+        added TIPC support.
+        Fix LLDP Network Policy bit definitions.
+        fixes for IGMPv3's Max Response Time: it is in units of 0.1 second.
+        SIGUSR1 can be used rather than SIGINFO for stats
+        permit -n flag to affect print-ip for protocol numbers
+        ND_OPT_ADVINTERVAL is in milliseconds, not seconds
+        Teach PPPoE parser about RFC 4638
+
+
 Friday  December 9, 2011.  guy@alum.mit.edu.
   Summary for 4.2.1 tcpdump release
 	Only build the Babel printer if IPv6 is enabled.

Modified: stable/9/contrib/tcpdump/CREDITS
==============================================================================
--- stable/9/contrib/tcpdump/CREDITS	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/CREDITS	Fri Nov  2 16:57:51 2012	(r242485)
@@ -43,6 +43,7 @@ Additional people who have contributed p
     Chris Larson                  <clarson at kergoth dot com>
     Christian Sievers             <c_s at users dot sourceforge dot net>
     Christophe Rhodes             <csr21 at cantab dot net>
+    Cliff Frey                    <cliff at meraki dot com>
     Craig Rodrigues               <rodrigc at mediaone dot net>
     Crist J. Clark                <cjclark at alum dot mit dot edu>
     Daniel Hagerty                <hag at ai dot mit dot edu>
@@ -102,6 +103,7 @@ Additional people who have contributed p
     Kelly Carmichael              <kcarmich at ipapp dot com>
     Ken Hornstein                 <kenh at cmf dot nrl dot navy dot mil>
     Kevin Steves                  <stevesk at pobox dot com>
+    Kenichi Maehashi              <webmaster at kenichimaehashi dot com>
     Klaus Klein                   <kleink at reziprozitaet dot de>
     Kris Kennaway                 <kris at freebsd dot org>
     Krzysztof Halasa              <khc at pm dot waw dot pl>
@@ -176,6 +178,7 @@ Additional people who have contributed p
     Sepherosa Ziehau              <sepherosa at gmail dot com>
     Seth Webster                  <swebster at sst dot ll dot mit dot edu>
     Shinsuke Suzuki               <suz at kame dot net>
+    Simon Ruderich                <simon at ruderich dot org>
     Steinar Haug                  <sthaug at nethelp dot no>
     Swaminathan Chandrasekaran    <chander at juniper dot net>
     Takashi Yamamoto              <yamt at mwd dot biglobe dot ne dot jp>

Modified: stable/9/contrib/tcpdump/Makefile.in
==============================================================================
--- stable/9/contrib/tcpdump/Makefile.in	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/Makefile.in	Fri Nov  2 16:57:51 2012	(r242485)
@@ -77,7 +77,7 @@ CSRC =	addrtoname.c af.c checksum.c cpac
 	print-chdlc.c print-cip.c print-cnfp.c print-dccp.c print-decnet.c \
 	print-domain.c print-dtp.c print-dvmrp.c print-enc.c print-egp.c \
 	print-eap.c print-eigrp.c\
-	print-esp.c print-ether.c print-fddi.c print-fr.c \
+	print-esp.c print-ether.c print-fddi.c print-forces.c print-fr.c \
 	print-gre.c print-hsrp.c print-icmp.c print-igmp.c \
 	print-igrp.c print-ip.c print-ipcomp.c print-ipfc.c print-ipnet.c \
 	print-ipx.c print-isoclns.c print-juniper.c print-krb.c \
@@ -91,8 +91,8 @@ CSRC =	addrtoname.c af.c checksum.c cpac
 	print-rx.c print-sctp.c print-sflow.c print-sip.c print-sl.c print-sll.c \
 	print-slow.c print-snmp.c print-stp.c print-sunatm.c print-sunrpc.c \
 	print-symantec.c print-syslog.c print-tcp.c print-telnet.c print-tftp.c \
-	print-timed.c print-token.c print-udld.c print-udp.c print-usb.c \
-	print-vjc.c print-vqp.c print-vrrp.c print-vtp.c print-forces.c \
+	print-timed.c print-tipc.c print-token.c print-udld.c print-udp.c \
+	print-usb.c print-vjc.c print-vqp.c print-vrrp.c print-vtp.c \
 	print-wb.c print-zephyr.c signature.c setsignal.c tcpdump.c util.c
 
 LIBNETDISSECT_SRC=print-isakmp.c
@@ -304,10 +304,11 @@ EXTRA_DIST = \
 	tests/forces1.pcap \
 	tests/forces1vvv.out \
 	tests/forces1vvvv.out \
-	tests/forces2.out \
 	tests/forces2v.out \
 	tests/forces2vv.out \
 	tests/forces3vvv.out \
+	tests/icmpv6.out  \
+	tests/icmpv6.pcap \
 	tests/ikev2four.out \
 	tests/ikev2four.pcap \
 	tests/ikev2fourv.out \
@@ -335,6 +336,8 @@ EXTRA_DIST = \
 	tests/mpls-traceroute.pcap \
 	tests/ospf-gmpls.out \
 	tests/ospf-gmpls.pcap \
+	tests/pppoe.out \
+	tests/pppoe.pcap \
 	tests/print-A.out \
 	tests/print-AA.out \
 	tests/print-capX.out \

Modified: stable/9/contrib/tcpdump/VERSION
==============================================================================
--- stable/9/contrib/tcpdump/VERSION	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/VERSION	Fri Nov  2 16:57:51 2012	(r242485)
@@ -1 +1 @@
-4.2.1
+4.3.0

Modified: stable/9/contrib/tcpdump/configure
==============================================================================
--- stable/9/contrib/tcpdump/configure	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/configure	Fri Nov  2 16:57:51 2012	(r242485)
@@ -7554,9 +7554,23 @@ if test $ac_cv_func_pcap_loop = yes; the
 else
 
 	    { { echo "$as_me:$LINENO: error: Report this to tcpdump-workers@lists.tcpdump.org, and include the
-config.log file in your report" >&5
+config.log file in your report.  If you have downloaded libpcap from
+tcpdump.org, and built it yourself, please also include the config.log
+file from the libpcap source directory, the Makefile from the libpcap
+source directory, and the output of the make process for libpcap, as
+this could be a problem with the libpcap that was built, and we will
+not be able to determine why this is happening, and thus will not be
+able to fix it, without that information, as we have not been able to
+reproduce this problem ourselves." >&5
 echo "$as_me: error: Report this to tcpdump-workers@lists.tcpdump.org, and include the
-config.log file in your report" >&2;}
+config.log file in your report.  If you have downloaded libpcap from
+tcpdump.org, and built it yourself, please also include the config.log
+file from the libpcap source directory, the Makefile from the libpcap
+source directory, and the output of the make process for libpcap, as
+this could be a problem with the libpcap that was built, and we will
+not be able to determine why this is happening, and thus will not be
+able to fix it, without that information, as we have not been able to
+reproduce this problem ourselves." >&2;}
    { (exit 1); exit 1; }; }
 
 fi
@@ -9330,7 +9344,7 @@ fi
 done
 
 if test $ac_cv_func_pcap_findalldevs = "yes" ; then
-    savedppflags="$CPPLAGS"
+    savedcppflags="$CPPFLAGS"
     CPPFLAGS="$CPPFLAGS $V_INCLS"
     { echo "$as_me:$LINENO: checking for pcap_if_t" >&5
 echo $ECHO_N "checking for pcap_if_t... $ECHO_C" >&6; }
@@ -11748,7 +11762,7 @@ _ACEOF
 fi
 
 
-		savedppflags="$CPPLAGS"
+		savedcppflags="$CPPFLAGS"
 		CPPFLAGS="$CPPFLAGS $V_INCLS"
 
 for ac_header in openssl/evp.h

Modified: stable/9/contrib/tcpdump/configure.in
==============================================================================
--- stable/9/contrib/tcpdump/configure.in	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/configure.in	Fri Nov  2 16:57:51 2012	(r242485)
@@ -732,7 +732,7 @@ if test $ac_cv_func_pcap_findalldevs = "
 dnl Check for Mac OS X, which may ship pcap.h from 0.6 but libpcap may
 dnl be 0.8; this means that lib has pcap_findalldevs but header doesn't
 dnl have pcap_if_t.
-    savedppflags="$CPPLAGS"
+    savedcppflags="$CPPFLAGS"
     CPPFLAGS="$CPPFLAGS $V_INCLS"
     AC_CHECK_TYPES(pcap_if_t, , , [#include <pcap.h>])
     CPPFLAGS="$savedcppflags"
@@ -1067,7 +1067,7 @@ if test "$want_libcrypto" != "no"; then
 		fi
 		AC_CHECK_LIB(crypto, DES_cbc_encrypt)
 
-		savedppflags="$CPPLAGS"
+		savedcppflags="$CPPFLAGS"
 		CPPFLAGS="$CPPFLAGS $V_INCLS"
 		AC_CHECK_HEADERS(openssl/evp.h)
 		CPPFLAGS="$savedcppflags"

Modified: stable/9/contrib/tcpdump/decode_prefix.h
==============================================================================
--- stable/9/contrib/tcpdump/decode_prefix.h	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/decode_prefix.h	Fri Nov  2 16:57:51 2012	(r242485)
@@ -33,9 +33,9 @@
 #ifndef tcpdump_decode_prefix_h
 #define tcpdump_decode_prefix_h
 
-extern int decode_prefix4(const u_char *pptr, char *buf, u_int buflen);
+extern int decode_prefix4(const u_char *pptr, u_int itemlen, char *buf, u_int buflen);
 #ifdef INET6
-extern int decode_prefix6(const u_char *pd, char *buf, u_int buflen);
+extern int decode_prefix6(const u_char *pd, u_int itemlen, char *buf, u_int buflen);
 #endif
 
 #endif

Modified: stable/9/contrib/tcpdump/ethertype.h
==============================================================================
--- stable/9/contrib/tcpdump/ethertype.h	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/ethertype.h	Fri Nov  2 16:57:51 2012	(r242485)
@@ -101,6 +101,9 @@
 #ifndef ETHERTYPE_AARP
 #define ETHERTYPE_AARP		0x80f3
 #endif
+#ifndef	ETHERTYPE_TIPC
+#define	ETHERTYPE_TIPC		0x88ca
+#endif
 #ifndef	ETHERTYPE_8021Q
 #define	ETHERTYPE_8021Q		0x8100
 #endif

Modified: stable/9/contrib/tcpdump/forces.h
==============================================================================
--- stable/9/contrib/tcpdump/forces.h	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/forces.h	Fri Nov  2 16:57:51 2012	(r242485)
@@ -308,7 +308,7 @@ static const struct optlv_h OPTLV_msg[F_
 	/* F_OP_GET */ {ZERO_TTLV, 0, " Get", recpdoptlv_print},
 	/* F_OP_GETPROP */ {ZERO_TTLV, 0, " GetProp", recpdoptlv_print},
 	/* F_OP_GETRESP */
-	    {TTLV_T2, B_FULLD | B_RESTV, " GetResp", recpdoptlv_print},
+	    {TTLV_T2, B_FULLD | B_SPARD | B_RESTV, " GetResp", recpdoptlv_print},
 	/* F_OP_GETPRESP */
 	    {TTLV_T2, B_FULLD | B_RESTV, " GetPropResp", recpdoptlv_print},
 	/* F_OP_REPORT */

Modified: stable/9/contrib/tcpdump/netdissect.h
==============================================================================
--- stable/9/contrib/tcpdump/netdissect.h	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/netdissect.h	Fri Nov  2 16:57:51 2012	(r242485)
@@ -280,6 +280,7 @@ extern int esp_print(netdissect_options 
 		     register const u_char *bp, int len, register const u_char *bp2,
 		     int *nhdr, int *padlen);
 extern void arp_print(netdissect_options *,const u_char *, u_int, u_int);
+extern void tipc_print(netdissect_options *, const u_char *, u_int, u_int);
 extern void icmp6_print(netdissect_options *ndo, const u_char *,
                         u_int, const u_char *, int);
 extern void isakmp_print(netdissect_options *,const u_char *,

Modified: stable/9/contrib/tcpdump/print-802_11.c
==============================================================================
--- stable/9/contrib/tcpdump/print-802_11.c	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/print-802_11.c	Fri Nov  2 16:57:51 2012	(r242485)
@@ -485,7 +485,7 @@ static const char *auth_alg_text[]={"Ope
 #define NUM_AUTH_ALGS	(sizeof auth_alg_text / sizeof auth_alg_text[0])
 
 static const char *status_text[] = {
-	"Succesful",						/*  0 */
+	"Successful",						/*  0 */
 	"Unspecified failure",					/*  1 */
 	"Reserved",						/*  2 */
 	"Reserved",						/*  3 */

Modified: stable/9/contrib/tcpdump/print-bgp.c
==============================================================================
--- stable/9/contrib/tcpdump/print-bgp.c	Fri Nov  2 16:54:12 2012	(r242484)
+++ stable/9/contrib/tcpdump/print-bgp.c	Fri Nov  2 16:57:51 2012	(r242485)
@@ -93,8 +93,7 @@ struct bgp_opt {
 	/* variable length */
 };
 #define BGP_OPT_SIZE		2	/* some compilers may pad to 4 bytes */
-
-#define BGP_UPDATE_MINSIZE      23
+#define BGP_CAP_HEADER_SIZE	2	/* some compilers may pad to 4 bytes */
 
 struct bgp_notification {
 	u_int8_t bgpn_marker[16];
@@ -115,19 +114,10 @@ struct bgp_route_refresh {
 };                    /* EXTRACT_16BITS(&bgp_route_refresh->afi) (sigh)      */ 
 #define BGP_ROUTE_REFRESH_SIZE          23
 
-struct bgp_attr {
-	u_int8_t bgpa_flags;
-	u_int8_t bgpa_type;
-	union {
-		u_int8_t len;
-		u_int16_t elen;
-	} bgpa_len;
-#define bgp_attr_len(p) \
-	(((p)->bgpa_flags & 0x10) ? \
-		EXTRACT_16BITS(&(p)->bgpa_len.elen) : (p)->bgpa_len.len)
-#define bgp_attr_off(p) \
-	(((p)->bgpa_flags & 0x10) ? 4 : 3)
-};
+#define bgp_attr_lenlen(flags, p) \
+	(((flags) & 0x10) ? 2 : 1)
+#define bgp_attr_len(flags, p) \
+	(((flags) & 0x10) ? EXTRACT_16BITS(p) : *(p))
 
 #define BGPTYPE_ORIGIN			1
 #define BGPTYPE_AS_PATH			2
@@ -493,38 +483,49 @@ as_printf (char *str, int size, u_int as
 	return str;
 }
 
+#define ITEMCHECK(minlen) if (itemlen < minlen) goto badtlv;
+
 int
-decode_prefix4(const u_char *pptr, char *buf, u_int buflen)
+decode_prefix4(const u_char *pptr, u_int itemlen, char *buf, u_int buflen)
 {
 	struct in_addr addr;
-	u_int plen;
+	u_int plen, plenbytes;
 
 	TCHECK(pptr[0]);
+	ITEMCHECK(1);
 	plen = pptr[0];
 	if (32 < plen)
 		return -1;
+	itemlen -= 1;
 
 	memset(&addr, 0, sizeof(addr));
-	TCHECK2(pptr[1], (plen + 7) / 8);
-	memcpy(&addr, &pptr[1], (plen + 7) / 8);
+	plenbytes = (plen + 7) / 8;
+	TCHECK2(pptr[1], plenbytes);
+	ITEMCHECK(plenbytes);
+	memcpy(&addr, &pptr[1], plenbytes);
 	if (plen % 8) {
-		((u_char *)&addr)[(plen + 7) / 8 - 1] &=
+		((u_char *)&addr)[plenbytes - 1] &=
 			((0xff00 >> (plen % 8)) & 0xff);
 	}
 	snprintf(buf, buflen, "%s/%d", getname((u_char *)&addr), plen);
-	return 1 + (plen + 7) / 8;
+	return 1 + plenbytes;
 
 trunc:
 	return -2;
+
+badtlv:
+	return -3;
 }
 
 static int
-decode_labeled_prefix4(const u_char *pptr, char *buf, u_int buflen)
+decode_labeled_prefix4(const u_char *pptr, u_int itemlen, char *buf, u_int buflen)
 {
 	struct in_addr addr;
-	u_int plen;
+	u_int plen, plenbytes;
 
-	TCHECK(pptr[0]);
+	/* prefix length and label = 4 bytes */
+	TCHECK2(pptr[0], 4);
+	ITEMCHECK(4);
 	plen = pptr[0];   /* get prefix length */
 
         /* this is one of the weirdnesses of rfc3107
@@ -542,12 +543,15 @@ decode_labeled_prefix4(const u_char *ppt
 
 	if (32 < plen)
 		return -1;
+	itemlen -= 4;
 
 	memset(&addr, 0, sizeof(addr));
-	TCHECK2(pptr[4], (plen + 7) / 8);
-	memcpy(&addr, &pptr[4], (plen + 7) / 8);
+	plenbytes = (plen + 7) / 8;
+	TCHECK2(pptr[4], plenbytes);
+	ITEMCHECK(plenbytes);
+	memcpy(&addr, &pptr[4], plenbytes);
 	if (plen % 8) {
-		((u_char *)&addr)[(plen + 7) / 8 - 1] &=
+		((u_char *)&addr)[plenbytes - 1] &=
 			((0xff00 >> (plen % 8)) & 0xff);
 	}
         /* the label may get offsetted by 4 bits so lets shift it right */
@@ -557,10 +561,13 @@ decode_labeled_prefix4(const u_char *ppt
                  EXTRACT_24BITS(pptr+1)>>4,
                  ((pptr[3]&1)==0) ? "(BOGUS: Bottom of Stack NOT set!)" : "(bottom)" );
 
-	return 4 + (plen + 7) / 8;
+	return 4 + plenbytes;
 
 trunc:
 	return -2;
+
+badtlv:
+	return -3;
 }
 
 /*
@@ -1041,37 +1048,46 @@ trunc:
 
 #ifdef INET6
 int
-decode_prefix6(const u_char *pd, char *buf, u_int buflen)
+decode_prefix6(const u_char *pd, u_int itemlen, char *buf, u_int buflen)
 {
 	struct in6_addr addr;
-	u_int plen;
+	u_int plen, plenbytes;
 
 	TCHECK(pd[0]);
+	ITEMCHECK(1);
 	plen = pd[0];
 	if (128 < plen)
 		return -1;
+	itemlen -= 1;
 
 	memset(&addr, 0, sizeof(addr));
-	TCHECK2(pd[1], (plen + 7) / 8);
-	memcpy(&addr, &pd[1], (plen + 7) / 8);
+	plenbytes = (plen + 7) / 8;
+	TCHECK2(pd[1], plenbytes);
+	ITEMCHECK(plenbytes);
+	memcpy(&addr, &pd[1], plenbytes);
 	if (plen % 8) {
-		addr.s6_addr[(plen + 7) / 8 - 1] &=
+		addr.s6_addr[plenbytes - 1] &=
 			((0xff00 >> (plen % 8)) & 0xff);
 	}
 	snprintf(buf, buflen, "%s/%d", getname6((u_char *)&addr), plen);
-	return 1 + (plen + 7) / 8;
+	return 1 + plenbytes;
 
 trunc:
 	return -2;
+
+badtlv:
+	return -3;
 }
 
 static int
-decode_labeled_prefix6(const u_char *pptr, char *buf, u_int buflen)
+decode_labeled_prefix6(const u_char *pptr, u_int itemlen, char *buf, u_int buflen)
 {
 	struct in6_addr addr;
-	u_int plen;
+	u_int plen, plenbytes;
 
-	TCHECK(pptr[0]);
+	/* prefix length and label = 4 bytes */
+	TCHECK2(pptr[0], 4);
+	ITEMCHECK(4);
 	plen = pptr[0]; /* get prefix length */
 
 	if (24 > plen)
@@ -1081,12 +1097,14 @@ decode_labeled_prefix6(const u_char *ppt
 
 	if (128 < plen)
 		return -1;
+	itemlen -= 4;
 
 	memset(&addr, 0, sizeof(addr));
-	TCHECK2(pptr[4], (plen + 7) / 8);
-	memcpy(&addr, &pptr[4], (plen + 7) / 8);
+	plenbytes = (plen + 7) / 8;
+	TCHECK2(pptr[4], plenbytes);
+	memcpy(&addr, &pptr[4], plenbytes);
 	if (plen % 8) {
-		addr.s6_addr[(plen + 7) / 8 - 1] &=
+		addr.s6_addr[plenbytes - 1] &=
 			((0xff00 >> (plen % 8)) & 0xff);
 	}
         /* the label may get offsetted by 4 bits so lets shift it right */
@@ -1096,10 +1114,13 @@ decode_labeled_prefix6(const u_char *ppt
                  EXTRACT_24BITS(pptr+1)>>4,
                  ((pptr[3]&1)==0) ? "(BOGUS: Bottom of Stack NOT set!)" : "(bottom)" );
 
-	return 4 + (plen + 7) / 8;
+	return 4 + plenbytes;
 
 trunc:
 	return -2;
+
+badtlv:
+	return -3;
 }
 
 static int
@@ -1266,7 +1287,7 @@ trunc:
 }
 
 static int
-bgp_attr_print(const struct bgp_attr *attr, const u_char *pptr, int len)
+bgp_attr_print(u_int atype, const u_char *pptr, u_int len)
 {
 	int i;
 	u_int16_t af;
@@ -1276,7 +1297,7 @@ bgp_attr_print(const struct bgp_attr *at
             u_int32_t i;
         } bw;
 	int advance;
-	int tlen;
+	u_int tlen;
 	const u_char *tptr;
 	char buf[MAXHOSTNAMELEN + 100];
 	char tokbuf[TOKBUFSIZE];
@@ -1285,7 +1306,7 @@ bgp_attr_print(const struct bgp_attr *at
         tptr = pptr;
         tlen=len;
 
-	switch (attr->bgpa_type) {
+	switch (atype) {
 	case BGPTYPE_ORIGIN:
 		if (len != 1)
 			printf("invalid len");
@@ -1321,7 +1342,7 @@ bgp_attr_print(const struct bgp_attr *at
                  * 2 bytes first, and it does not pass, assume that ASs are
                  * encoded in 4 bytes format and move on.
                  */
-                as_size = bgp_attr_get_as_size(attr->bgpa_type, pptr, len);
+                as_size = bgp_attr_get_as_size(atype, pptr, len);
 
 		while (tptr < pptr + len) {
 			TCHECK(tptr[0]);
@@ -1657,20 +1678,24 @@ bgp_attr_print(const struct bgp_attr *at
                     case (AFNUM_INET<<8 | SAFNUM_UNICAST):
                     case (AFNUM_INET<<8 | SAFNUM_MULTICAST):
                     case (AFNUM_INET<<8 | SAFNUM_UNIMULTICAST):
-                        advance = decode_prefix4(tptr, buf, sizeof(buf));
+                        advance = decode_prefix4(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
                     case (AFNUM_INET<<8 | SAFNUM_LABUNICAST):
-                        advance = decode_labeled_prefix4(tptr, buf, sizeof(buf));
+                        advance = decode_labeled_prefix4(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
@@ -1718,20 +1743,24 @@ bgp_attr_print(const struct bgp_attr *at
                     case (AFNUM_INET6<<8 | SAFNUM_UNICAST):
                     case (AFNUM_INET6<<8 | SAFNUM_MULTICAST):
                     case (AFNUM_INET6<<8 | SAFNUM_UNIMULTICAST):
-                        advance = decode_prefix6(tptr, buf, sizeof(buf));
+                        advance = decode_prefix6(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
                     case (AFNUM_INET6<<8 | SAFNUM_LABUNICAST):
-                        advance = decode_labeled_prefix6(tptr, buf, sizeof(buf));
+                        advance = decode_labeled_prefix6(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
@@ -1821,20 +1850,24 @@ bgp_attr_print(const struct bgp_attr *at
                     case (AFNUM_INET<<8 | SAFNUM_UNICAST):
                     case (AFNUM_INET<<8 | SAFNUM_MULTICAST):
                     case (AFNUM_INET<<8 | SAFNUM_UNIMULTICAST):
-                        advance = decode_prefix4(tptr, buf, sizeof(buf));
+                        advance = decode_prefix4(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
                     case (AFNUM_INET<<8 | SAFNUM_LABUNICAST):
-                        advance = decode_labeled_prefix4(tptr, buf, sizeof(buf));
+                        advance = decode_labeled_prefix4(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
@@ -1853,20 +1886,24 @@ bgp_attr_print(const struct bgp_attr *at
                     case (AFNUM_INET6<<8 | SAFNUM_UNICAST):
                     case (AFNUM_INET6<<8 | SAFNUM_MULTICAST):
                     case (AFNUM_INET6<<8 | SAFNUM_UNIMULTICAST):
-                        advance = decode_prefix6(tptr, buf, sizeof(buf));
+                        advance = decode_prefix6(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
                     case (AFNUM_INET6<<8 | SAFNUM_LABUNICAST):
-                        advance = decode_labeled_prefix6(tptr, buf, sizeof(buf));
+                        advance = decode_labeled_prefix6(tptr, len, buf, sizeof(buf));
                         if (advance == -1)
                             printf("\n\t    (illegal prefix length)");
                         else if (advance == -2)
                             goto trunc;
+                        else if (advance == -3)
+                            break; /* bytes left, but not enough */
                         else
                             printf("\n\t      %s", buf);
                         break;
@@ -2097,40 +2134,50 @@ bgp_attr_print(const struct bgp_attr *at
         }
         case BGPTYPE_ATTR_SET:
                 TCHECK2(tptr[0], 4);
+                if (len < 4)
+                	goto trunc;
 		printf("\n\t    Origin AS: %s",
 		    as_printf(astostr, sizeof(astostr), EXTRACT_32BITS(tptr)));
 		tptr+=4;
                 len -=4;
 
-                while (len >= 2 ) {
-                    int alen;
-                    struct bgp_attr bgpa;
+                while (len) {
+                    u_int aflags, atype, alenlen, alen;
                     
-                    TCHECK2(tptr[0], sizeof(bgpa));
-                    memcpy(&bgpa, tptr, sizeof(bgpa));
-                    alen = bgp_attr_len(&bgpa);
-                    tptr += bgp_attr_off(&bgpa);
-                    len -= bgp_attr_off(&bgpa);
+                    TCHECK2(tptr[0], 2);
+                    if (len < 2)
+                        goto trunc;
+                    aflags = *tptr;
+                    atype = *(tptr + 1);
+                    tptr += 2;
+                    len -= 2;
+                    alenlen = bgp_attr_lenlen(aflags, tptr);
+                    TCHECK2(tptr[0], alenlen);
+                    if (len < alenlen)
+                        goto trunc;
+                    alen = bgp_attr_len(aflags, tptr);
+                    tptr += alenlen;
+                    len -= alenlen;
                     
                     printf("\n\t      %s (%u), length: %u",
                            tok2strbuf(bgp_attr_values,
-				      "Unknown Attribute", bgpa.bgpa_type,
-				      tokbuf, sizeof(tokbuf)),
-                           bgpa.bgpa_type,
+                                      "Unknown Attribute", atype,
+                                      tokbuf, sizeof(tokbuf)),
+                           atype,
                            alen);
                     
-                    if (bgpa.bgpa_flags) {
+                    if (aflags) {
                         printf(", Flags [%s%s%s%s",
-                               bgpa.bgpa_flags & 0x80 ? "O" : "",
-                               bgpa.bgpa_flags & 0x40 ? "T" : "",
-                               bgpa.bgpa_flags & 0x20 ? "P" : "",
-                               bgpa.bgpa_flags & 0x10 ? "E" : "");
-                        if (bgpa.bgpa_flags & 0xf)
-                            printf("+%x", bgpa.bgpa_flags & 0xf);
+                               aflags & 0x80 ? "O" : "",
+                               aflags & 0x40 ? "T" : "",
+                               aflags & 0x20 ? "P" : "",
+                               aflags & 0x10 ? "E" : "");
+                        if (aflags & 0xf)
+                            printf("+%x", aflags & 0xf);
                         printf("]: ");
                     }
                     /* FIXME check for recursion */
-                    if (!bgp_attr_print(&bgpa, tptr, alen))
+                    if (!bgp_attr_print(atype, tptr, alen))
                         return 0;
                     tptr += alen;
                     len -= alen;
@@ -2140,7 +2187,7 @@ bgp_attr_print(const struct bgp_attr *at
 
 	default:
 	    TCHECK2(*pptr,len);
-            printf("\n\t    no Attribute %u decoder",attr->bgpa_type); /* we have no decoder for the attribute */
+            printf("\n\t    no Attribute %u decoder",atype); /* we have no decoder for the attribute */
             if (vflag <= 1)
                 print_unknown_data(pptr,"\n\t    ",len);
             break;
@@ -2156,14 +2203,97 @@ trunc:
 }
 
 static void
+bgp_capabilities_print(const u_char *opt, int caps_len)
+{
+	char tokbuf[TOKBUFSIZE];
+	char tokbuf2[TOKBUFSIZE];
+	int cap_type, cap_len, tcap_len, cap_offset;
+        int i = 0;
+
+        while (i < caps_len) {
+                TCHECK2(opt[i], BGP_CAP_HEADER_SIZE);
+                cap_type=opt[i];
+                cap_len=opt[i+1];
+                tcap_len=cap_len;
+                printf("\n\t      %s (%u), length: %u",
+                       tok2strbuf(bgp_capcode_values, "Unknown",
+                                  cap_type, tokbuf, sizeof(tokbuf)),
+                       cap_type,
+                       cap_len);
+                TCHECK2(opt[i+2], cap_len);
+                switch (cap_type) {
+                case BGP_CAPCODE_MP:
+                    printf("\n\t\tAFI %s (%u), SAFI %s (%u)",
+                           tok2strbuf(af_values, "Unknown",
+                                      EXTRACT_16BITS(opt+i+2),
+                                      tokbuf, sizeof(tokbuf)),
+                           EXTRACT_16BITS(opt+i+2),
+                           tok2strbuf(bgp_safi_values, "Unknown",
+                                      opt[i+5],
+                                      tokbuf, sizeof(tokbuf)),
+                           opt[i+5]);
+                    break;
+                case BGP_CAPCODE_RESTART:
+                    printf("\n\t\tRestart Flags: [%s], Restart Time %us",
+                           ((opt[i+2])&0x80) ? "R" : "none",
+                           EXTRACT_16BITS(opt+i+2)&0xfff);
+                    tcap_len-=2;
+                    cap_offset=4;
+                    while(tcap_len>=4) {
+                        printf("\n\t\t  AFI %s (%u), SAFI %s (%u), Forwarding state preserved: %s",
+                               tok2strbuf(af_values,"Unknown",
+                                          EXTRACT_16BITS(opt+i+cap_offset),
+                                          tokbuf, sizeof(tokbuf)),
+                               EXTRACT_16BITS(opt+i+cap_offset),
+                               tok2strbuf(bgp_safi_values,"Unknown",
+                                          opt[i+cap_offset+2],
+                                          tokbuf2, sizeof(tokbuf2)),
+                               opt[i+cap_offset+2],
+                               ((opt[i+cap_offset+3])&0x80) ? "yes" : "no" );
+                        tcap_len-=4;
+                        cap_offset+=4;
+                    }
+                    break;
+                case BGP_CAPCODE_RR:
+                case BGP_CAPCODE_RR_CISCO:
+                    break;
+                case BGP_CAPCODE_AS_NEW:
+
+                    /*
+                     * Extract the 4 byte AS number encoded.
+                     */
+                    if (cap_len == 4) {
+                        printf("\n\t\t 4 Byte AS %s",
+                            as_printf(astostr, sizeof(astostr),
+                            EXTRACT_32BITS(opt + i + 2)));
+                    }
+                    break;
+                default:
+                    printf("\n\t\tno decoder for Capability %u",
+                           cap_type);
+                    if (vflag <= 1)
+                        print_unknown_data(&opt[i+2],"\n\t\t",cap_len);
+                    break;
+                }
+                if (vflag > 1 && cap_len > 0) {
+                    print_unknown_data(&opt[i+2],"\n\t\t",cap_len);
+                }
+                i += BGP_CAP_HEADER_SIZE + cap_len;
+        }
+        return;
+
+trunc:
+	printf("[|BGP]");
+}
+
+static void
 bgp_open_print(const u_char *dat, int length)
 {
 	struct bgp_open bgpo;
 	struct bgp_opt bgpopt;
 	const u_char *opt;
-	int i,cap_type,cap_len,tcap_len,cap_offset;
+	int i;
 	char tokbuf[TOKBUFSIZE];
-	char tokbuf2[TOKBUFSIZE];
 
 	TCHECK2(dat[0], BGP_OPEN_SIZE);
 	memcpy(&bgpo, dat, BGP_OPEN_SIZE);
@@ -2188,96 +2318,31 @@ bgp_open_print(const u_char *dat, int le
 		TCHECK2(opt[i], BGP_OPT_SIZE);
 		memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
 		if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {
-                        printf("\n\t     Option %d, length: %u", bgpopt.bgpopt_type, bgpopt.bgpopt_len);
+			printf("\n\t     Option %d, length: %u", bgpopt.bgpopt_type, bgpopt.bgpopt_len);
 			break;
 		}
 
 		printf("\n\t    Option %s (%u), length: %u",
-                       tok2strbuf(bgp_opt_values,"Unknown",
+		       tok2strbuf(bgp_opt_values,"Unknown",
 				  bgpopt.bgpopt_type,
 				  tokbuf, sizeof(tokbuf)),
-                       bgpopt.bgpopt_type,
-                       bgpopt.bgpopt_len);
+		       bgpopt.bgpopt_type,
+		       bgpopt.bgpopt_len);
 
-                /* now lets decode the options we know*/
-                switch(bgpopt.bgpopt_type) {
-                case BGP_OPT_CAP:
-                    cap_type=opt[i+BGP_OPT_SIZE];
-                    cap_len=opt[i+BGP_OPT_SIZE+1];
-                    tcap_len=cap_len;
-                    printf("\n\t      %s (%u), length: %u",
-                           tok2strbuf(bgp_capcode_values, "Unknown",
-				      cap_type, tokbuf, sizeof(tokbuf)),
-                           cap_type,
-                           cap_len);
-                    switch(cap_type) {
-                    case BGP_CAPCODE_MP:
-                        printf("\n\t\tAFI %s (%u), SAFI %s (%u)",
-                               tok2strbuf(af_values, "Unknown",
-					  EXTRACT_16BITS(opt+i+BGP_OPT_SIZE+2),
-					  tokbuf, sizeof(tokbuf)),
-                               EXTRACT_16BITS(opt+i+BGP_OPT_SIZE+2),
-                               tok2strbuf(bgp_safi_values, "Unknown",
-					  opt[i+BGP_OPT_SIZE+5],
-					  tokbuf, sizeof(tokbuf)),
-                               opt[i+BGP_OPT_SIZE+5]);
-                        break;
-                    case BGP_CAPCODE_RESTART:
-                        printf("\n\t\tRestart Flags: [%s], Restart Time %us",
-                               ((opt[i+BGP_OPT_SIZE+2])&0x80) ? "R" : "none",
-                               EXTRACT_16BITS(opt+i+BGP_OPT_SIZE+2)&0xfff);
-                        tcap_len-=2;
-                        cap_offset=4;
-                        while(tcap_len>=4) {
-                            printf("\n\t\t  AFI %s (%u), SAFI %s (%u), Forwarding state preserved: %s",
-                                   tok2strbuf(af_values,"Unknown",
-					      EXTRACT_16BITS(opt+i+BGP_OPT_SIZE+cap_offset),
-					      tokbuf, sizeof(tokbuf)),
-                                   EXTRACT_16BITS(opt+i+BGP_OPT_SIZE+cap_offset),
-                                   tok2strbuf(bgp_safi_values,"Unknown",
-					      opt[i+BGP_OPT_SIZE+cap_offset+2],
-					      tokbuf2, sizeof(tokbuf2)),
-                                   opt[i+BGP_OPT_SIZE+cap_offset+2],
-                                   ((opt[i+BGP_OPT_SIZE+cap_offset+3])&0x80) ? "yes" : "no" );
-                            tcap_len-=4;
-                            cap_offset+=4;
-                        }
-                        break;
-                    case BGP_CAPCODE_RR:
-                    case BGP_CAPCODE_RR_CISCO:
-                        break;
-                    case BGP_CAPCODE_AS_NEW:
+		/* now let's decode the options we know*/
+		switch(bgpopt.bgpopt_type) {
 
-                        /*
-                         * Extract the 4 byte AS number encoded.
-                         */
-                        TCHECK2(opt[i + BGP_OPT_SIZE + 2], cap_len);
-                        if (cap_len == 4) {
-			    printf("\n\t\t 4 Byte AS %s",
-				as_printf(astostr, sizeof(astostr),
-				EXTRACT_32BITS(opt + i + BGP_OPT_SIZE + 2)));
-                        }
-                        break;
-                    default:
-                        TCHECK2(opt[i+BGP_OPT_SIZE+2],cap_len);
-                        printf("\n\t\tno decoder for Capability %u",
-                               cap_type);
-                        if (vflag <= 1)
-                            print_unknown_data(&opt[i+BGP_OPT_SIZE+2],"\n\t\t",cap_len);
-                        break;
-                    }
-                    if (vflag > 1) {
-                        TCHECK2(opt[i+BGP_OPT_SIZE+2],cap_len);
-                        print_unknown_data(&opt[i+BGP_OPT_SIZE+2],"\n\t\t",cap_len);
-                    }
-                    break;
-                case BGP_OPT_AUTH:
-                default:
-                       printf("\n\t      no decoder for option %u",
-                           bgpopt.bgpopt_type);
-                       break;
-                }
+		case BGP_OPT_CAP:
+			bgp_capabilities_print(&opt[i+BGP_OPT_SIZE],
+			    bgpopt.bgpopt_len);
+			break;
 
+		case BGP_OPT_AUTH:
+		default:
+		       printf("\n\t      no decoder for option %u",
+			   bgpopt.bgpopt_type);
+		       break;
+		}
 		i += BGP_OPT_SIZE + bgpopt.bgpopt_len;
 	}
 	return;
@@ -2289,107 +2354,163 @@ static void
 bgp_update_print(const u_char *dat, int length)
 {
 	struct bgp bgp;
-	struct bgp_attr bgpa;
 	const u_char *p;
+	int withdrawn_routes_len;
 	int len;
 	int i;
 	char tokbuf[TOKBUFSIZE];
+#ifndef INET6
+	char buf[MAXHOSTNAMELEN + 100];
+	int wpfx;
+#endif
 
 	TCHECK2(dat[0], BGP_SIZE);
+	if (length < BGP_SIZE)
+		goto trunc;
 	memcpy(&bgp, dat, BGP_SIZE);
 	p = dat + BGP_SIZE;	/*XXX*/
+	length -= BGP_SIZE;
 
 	/* Unfeasible routes */
-	len = EXTRACT_16BITS(p);
-	if (len) {
+	TCHECK2(p[0], 2);
+	if (length < 2)
+		goto trunc;
+	withdrawn_routes_len = EXTRACT_16BITS(p);
+	p += 2;
+	length -= 2;
+	if (withdrawn_routes_len) {
 		/*
 		 * Without keeping state from the original NLRI message,
 		 * it's not possible to tell if this a v4 or v6 route,
 		 * so only try to decode it if we're not v6 enabled.
 	         */
+		TCHECK2(p[0], withdrawn_routes_len);
+		if (length < withdrawn_routes_len)
+			goto trunc;
 #ifdef INET6
-		printf("\n\t  Withdrawn routes: %d bytes", len);
+		printf("\n\t  Withdrawn routes: %d bytes", withdrawn_routes_len);
+		p += withdrawn_routes_len;
+		length -= withdrawn_routes_len;
 #else
-		char buf[MAXHOSTNAMELEN + 100];
-		int wpfx;
+		if (withdrawn_routes_len < 2)
+			goto trunc;
+		length -= 2;
+		withdrawn_routes_len -= 2;
 
-		TCHECK2(p[2], len);
-		i = 2;
 
 		printf("\n\t  Withdrawn routes:");
 
-		while(i < 2 + len) {
-			wpfx = decode_prefix4(&p[i], buf, sizeof(buf));
+		while(withdrawn_routes_len > 0) {
+			wpfx = decode_prefix4(p, withdrawn_routes_len, buf, sizeof(buf));
 			if (wpfx == -1) {
 				printf("\n\t    (illegal prefix length)");
 				break;
 			} else if (wpfx == -2)
 				goto trunc;
+			else if (wpfx == -3)
+				goto trunc; /* bytes left, but not enough */
 			else {
-				i += wpfx;
 				printf("\n\t    %s", buf);
+				p += wpfx;
+				length -= wpfx;
+				withdrawn_routes_len -= wpfx;
 			}
 		}
 #endif
 	}
-	p += 2 + len;
 
 	TCHECK2(p[0], 2);
+	if (length < 2)
+		goto trunc;
 	len = EXTRACT_16BITS(p);
+	p += 2;
+	length -= 2;
 
-        if (len == 0 && length == BGP_UPDATE_MINSIZE) {
+        if (withdrawn_routes_len == 0 && len == 0 && length == 0) {
+            /* No withdrawn routes, no path attributes, no NLRI */
             printf("\n\t  End-of-Rib Marker (empty NLRI)");
             return;
         }
 
 	if (len) {
 		/* do something more useful!*/
-		i = 2;
-		while (i < 2 + len) {
-			int alen, aoff;
-
-			TCHECK2(p[i], sizeof(bgpa));
-			memcpy(&bgpa, &p[i], sizeof(bgpa));
-			alen = bgp_attr_len(&bgpa);
-			aoff = bgp_attr_off(&bgpa);
+		while (len) {
+			int aflags, atype, alenlen, alen;
+
+			TCHECK2(p[0], 2);
+			if (len < 2)
+			    goto trunc;
+			if (length < 2)
+			    goto trunc;
+			aflags = *p;
+			atype = *(p + 1);
+			p += 2;
+			len -= 2;
+			length -= 2;
+			alenlen = bgp_attr_lenlen(aflags, p);
+			TCHECK2(p[0], alenlen);
+			if (len < alenlen)
+			    goto trunc;
+			if (length < alenlen)
+			    goto trunc;
+			alen = bgp_attr_len(aflags, p);

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***