diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-bgp.c tcpdump-3.8.3/print-bgp.c
--- tcpdump-3.8.3.orig/print-bgp.c	2005-05-06 17:41:55.000000000 -0300
+++ tcpdump-3.8.3/print-bgp.c	2005-05-06 17:45:08.000000000 -0300
@@ -1216,6 +1216,8 @@
                             tptr = pptr + len;
                             break;
 			}
+                        if (advance < 0) /* infinite loop protection */
+                            break;
 			tptr += advance;
 		}
 		break;
diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-isoclns.c tcpdump-3.8.3/print-isoclns.c
--- tcpdump-3.8.3.orig/print-isoclns.c	2005-05-06 17:41:55.000000000 -0300
+++ tcpdump-3.8.3/print-isoclns.c	2005-05-06 17:53:57.000000000 -0300
@@ -1250,11 +1250,11 @@
 	    break;
 	case L1_CSNP:
 	case L2_CSNP:
-	    printf(", src-id %s", isis_print_id(header_csnp->source_id,SYSTEM_ID_LEN));
+	    printf(", src-id %s", isis_print_id(header_csnp->source_id,NODE_ID_LEN));
 	    break;
 	case L1_PSNP:
 	case L2_PSNP:
-	    printf(", src-id %s", isis_print_id(header_psnp->source_id,SYSTEM_ID_LEN));
+	    printf(", src-id %s", isis_print_id(header_psnp->source_id,NODE_ID_LEN));
 	    break;
 
 	}
@@ -1506,6 +1506,9 @@
                tlv_type,
                tlv_len);
 
+        if (tlv_len == 0) /* something is malformed */
+            break;
+
         /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case TLV_AREA_ADDR:
@@ -1536,7 +1539,7 @@
 	    break;
 
         case TLV_ISNEIGH_VARLEN:
-            if (!TTEST2(*tptr, 1))
+            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
 		goto trunctlv;
 	    lan_alen = *tptr++; /* LAN adress length */
             tmp --;
diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-ldp.c tcpdump-3.8.3/print-ldp.c
--- tcpdump-3.8.3.orig/print-ldp.c	2005-05-06 17:41:55.000000000 -0300
+++ tcpdump-3.8.3/print-ldp.c	2005-05-06 17:49:09.000000000 -0300
@@ -326,6 +326,9 @@
                EXTRACT_32BITS(&ldp_msg_header->id),
                LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
 
+        if (msg_len == 0) /* infinite loop protection */
+            break;
+
         msg_tptr=tptr+sizeof(struct ldp_msg_header);
         msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
 
diff --exclude='*~' -Naur tcpdump-3.8.3.orig/print-rsvp.c tcpdump-3.8.3/print-rsvp.c
--- tcpdump-3.8.3.orig/print-rsvp.c	2005-05-06 17:41:55.000000000 -0300
+++ tcpdump-3.8.3/print-rsvp.c	2005-05-06 17:51:12.000000000 -0300
@@ -875,10 +875,17 @@
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
                 while(obj_tlen >= 4 ) {
-                    printf("\n\t    Subobject Type: %s",
+                    printf("\n\t    Subobject Type: %s, length %u",
                            tok2str(rsvp_obj_xro_values,
                                    "Unknown %u",
-                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
+                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
+                           *(obj_tptr+1));                
+
+                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
+                        printf("\n\t      ERROR: zero length ERO subtype");
+                        break;
+                    }
+
                     switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
                     case RSVP_OBJ_XRO_IPV4:
                         printf(", %s, %s/%u, Flags: [%s]",
@@ -921,8 +928,8 @@
                 if (obj_tlen < 8)
                     return;
                 printf("\n\t    Restart  Time: %ums, Recovery Time: %ums",
-                       EXTRACT_16BITS(obj_tptr),
-                       EXTRACT_16BITS(obj_tptr+4));
+                       EXTRACT_32BITS(obj_tptr),
+                       EXTRACT_32BITS(obj_tptr+4));
                 obj_tlen-=8;
                 obj_tptr+=8;
                 break;