openslp/openslp.parseext.diff

--- ./common/slp_message.c.orig	2010-10-12 15:42:23.439823000 +0000
+++ ./common/slp_message.c	2010-10-12 15:45:44.936750000 +0000
@@ -872,10 +872,19 @@ int ParseExtension(SLPBuffer buffer, SLP
     int             extid;
     int             nextoffset;
     int             result  = SLP_ERROR_OK;
+    int             bufsz = (int)(buffer->end - buffer->start);
 
     nextoffset = message->header.extoffset;
     while(nextoffset)
     {
+        /* check for circular reference in list
+         * if the size gets below zero, we know we're
+         * reprocessing extensions in a loop.
+         */
+        bufsz -= 5;
+        if (bufsz <= 0) 
+            return SLP_ERROR_PARSE_ERROR;
+
         buffer->curpos = buffer->start + nextoffset;
         if(buffer->curpos + 5 >= buffer->end)
         {