4 files changed, 9 insertions, 0 deletions

diff --git a/print-ipx.c b/print-ipx.c
index 674dd457..c724e87f 100644
--- a/print-ipx.c
+++ b/print-ipx.c
@@ -90,6 +90,11 @@ ipx_print(netdissect_options *ndo, const u_char *p, u_int length)
 	ND_TCHECK_2(ipx->length);
 	length = EXTRACT_BE_U_2(ipx->length);
 
+	if (length < ipxSize) {
+		ND_PRINT("[length %u < %u]", length, ipxSize);
+		nd_print_invalid(ndo);
+		return;
+	}
 	ipx_decode(ndo, ipx, p + ipxSize, length - ipxSize);
 	return;
 trunc:
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 00fbe447..b666a0ef 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -93,6 +93,9 @@ e1000g		e1000g.pcap		e1000g.out
 # IPX/Netware packets
 ipx		ipx.pcap		ipx.out
 
+# IPX/Netware invalid
+ipx-invalid-length ipx-invalid-length.pcap ipx-invalid-length.out
+
 # IETF FORCES WG packets and printer
 forces01        forces1.pcap            forces1.out
 forces01vvv     forces1.pcap            forces1vvv.out  -v -v -v
diff --git a/tests/ipx-invalid-length.out b/tests/ipx-invalid-length.out
new file mode 100644
index 00000000..2904e8f9
--- /dev/null
+++ b/tests/ipx-invalid-length.out
@@ -0,0 +1 @@
+    1  16:41:40.226660 IPX 0a8808aa.00:00:00:00:00:01.0451 > 8dc23c00.18:00:3e:2b:68:56.402b: [length 29 < 30] (invalid)
diff --git a/tests/ipx-invalid-length.pcap b/tests/ipx-invalid-length.pcap
new file mode 100644
index 00000000..c65e47ae
--- /dev/null
+++ b/tests/ipx-invalid-length.pcap