Bug appneta#380 exit nicely on invalid fuzz packet size

baigubulu · May 5, 2017 · f56d2e9 · f56d2e9
1 parent dfe3c4a
commit f56d2e9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
@@ -1,4 +1,5 @@
 05/02/2017 Version 4.2.5
+    - AFL detected security crash in fuzz feature (#380)
     - Coverity static scan detected issues (#374)
     - Fuzz should not be overwritting Layer 3 (#372)
     - Add --fuzz-factor option to specify fuzz ratio (#371)

diff --git a/src/tcpedit/fuzzing.c b/src/tcpedit/fuzzing.c
@@ -42,16 +42,21 @@ fuzz_get_sgt_size(uint32_t r, uint32_t caplen)
 
 static inline int
 fuzz_reduce_packet_size(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
-        COUNTER new_len)
+        uint32_t new_len)
 {
-    assert(new_len <= pkthdr->len);
-
     if (pkthdr->len < pkthdr->caplen) {
-        tcpedit_seterr(tcpedit, "%s", "Packet larger than capture len.");
+        tcpedit_seterr(tcpedit, "Packet length %u smaller than capture length %u",
+                pkthdr->len, pkthdr->caplen);
+        return -1;
+    }
+
+    if (new_len > pkthdr->caplen) {
+        tcpedit_seterr(tcpedit, "Cannot fuzz packet of capture length %u to length %u",
+                pkthdr->caplen, new_len);
         return -1;
     }
 
-    if (new_len == pkthdr->len) {
+    if (new_len == pkthdr->caplen) {
         return 0;
     }