From 7facd94e6f8b57a0845612657edeb4fe1a19332f Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 24 Apr 2023 12:14:45 -0700
Subject: [PATCH] Fix length checks in VLAN/Ethernet analyzers for
 non-ethertype protocols

---
 src/packet_analysis/protocol/ethernet/Ethernet.cc | 12 +++++-------
 src/packet_analysis/protocol/vlan/VLAN.cc         | 11 +++++++++--
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc
index 5d8face928..57023f4814 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@@ -53,18 +53,16 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	// Other ethernet frame types
 	if ( protocol <= 1500 )
 		{
-		if ( 16 >= len )
+		len -= 14;
+		data += 14;
+
+		if ( len < protocol )
 			{
 			Weird("truncated_ethernet_frame", packet);
 			return false;
 			}
 
-		len -= 14;
-		data += 14;
-
-		// Let specialized analyzers take over for non Ethernet II frames. We use magic numbers here
-		// to denote the protocols for the forwarding. We know these numbers should be valid because
-		// any others used should be >= 1536, as above.
+		// Let specialized analyzers take over for non Ethernet II frames.
 		if ( data[0] == 0xAA && data[1] == 0xAA )
 			// IEEE 802.2 SNAP
 			return ForwardPacket(len, data, packet, snap_forwarding_key);
diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc
index 046bc1a2d9..e57d7810a7 100644
--- a/src/packet_analysis/protocol/vlan/VLAN.cc
+++ b/src/packet_analysis/protocol/vlan/VLAN.cc
@@ -34,8 +34,15 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 
 	if ( protocol <= 1500 )
 		{
-		// We use magic numbers here to denote the protocols for the forwarding. We know these
-		// numbers should be valid because any others used should be > 1500, as above.
+		// Skip over the VLAN header
+		len -= 4;
+		data += 4;
+
+		if ( len < protocol )
+			{
+			Weird("truncated_vlan_frame", packet);
+			return false;
+			}
 
 		if ( data[0] == 0xAA && data[1] == 0xAA )
 			// IEEE 802.2 SNAP