Merge pull request appneta#532 from appneta/Bug_#520_2_heap-buffer-overflow_problems

fklassen · web-flow · commit 2595c903b61d · 2018-12-27T10:43:03.000-08:00
Bug appneta#520 Fix heap overflow on zero or 0xFFFF packet length
diff --git a/configure.ac b/configure.ac
@@ -4,7 +4,7 @@ dnl $Id$
 AC_PREREQ([2.69])
 
 dnl Set version info here!
-AC_INIT([tcpreplay],[4.3.0],
+AC_INIT([tcpreplay],[4.3.1],
     [https://github.com/appneta/tcpreplay/issues],
     [tcpreplay],
     [http://tcpreplay.sourceforge.net/])
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
@@ -1,3 +1,7 @@
+12/27/2018 Version 4.3.1
+    - Fix checkspell detected typos (#531)
+    - Heap overflow packet2tree and get_l2len (#530)
+
 11/10/2018 Version 4.3.0
     - Fix maxOS TOS checksum failure (#524)
     - TCP sequence edits seeding (#514)
diff --git a/src/common/utils.c b/src/common/utils.c
@@ -134,8 +134,8 @@ u_char *_our_safe_pcap_next(pcap_t *pcap,  struct pcap_pkthdr *pkthdr,
             exit(-1);
         }
 
-        if (pkthdr->len < pkthdr->caplen) {
-            fprintf(stderr, "safe_pcap_next ERROR: Invalid packet length in %s:%s() line %d: packet length %u is less than capture length %u\n",
+        if (!pkthdr->len || pkthdr->len < pkthdr->caplen) {
+            fprintf(stderr, "safe_pcap_next ERROR: Invalid packet length in %s:%s() line %d: packet length=%u capture length=%u\n",
                     file, funcname, line, pkthdr->len, pkthdr->caplen);
             exit(-1);
         }
@@ -160,8 +160,8 @@ int _our_safe_pcap_next_ex(pcap_t *pcap, struct pcap_pkthdr **pkthdr,
             exit(-1);
         }
 
-        if ((*pkthdr)->len < (*pkthdr)->caplen) {
-            fprintf(stderr, "safe_pcap_next_ex ERROR: Invalid packet length in %s:%s() line %d: packet length %u is less than capture length %u\n",
+        if (!(*pkthdr)->len || (*pkthdr)->len < (*pkthdr)->caplen) {
+            fprintf(stderr, "safe_pcap_next_ex ERROR: Invalid packet length in %s:%s() line %d: packet length=%u capture length=%u\n",
                     file, funcname, line, (*pkthdr)->len, (*pkthdr)->caplen);
             exit(-1);
         }

Original file line number	Diff line number	Diff line change
`@@ -134,8 +134,8 @@ u_char _our_safe_pcap_next(pcap_t pcap, struct pcap_pkthdr *pkthdr,`
`134`	`134`	`exit(-1);`
`135`	`135`	`}`
`136`	`136`
`137`		`- if (pkthdr->len < pkthdr->caplen) {`
`138`		`- fprintf(stderr, "safe_pcap_next ERROR: Invalid packet length in %s:%s() line %d: packet length %u is less than capture length %u\n",`
	`137`	`+ if (!pkthdr->len \|\| pkthdr->len < pkthdr->caplen) {`
	`138`	`+ fprintf(stderr, "safe_pcap_next ERROR: Invalid packet length in %s:%s() line %d: packet length=%u capture length=%u\n",`
`139`	`139`	`file, funcname, line, pkthdr->len, pkthdr->caplen);`
`140`	`140`	`exit(-1);`
`141`	`141`	`}`
`@@ -160,8 +160,8 @@ int _our_safe_pcap_next_ex(pcap_t pcap, struct pcap_pkthdr *pkthdr,`
`160`	`160`	`exit(-1);`
`161`	`161`	`}`
`162`	`162`
`163`		`- if ((pkthdr)->len < (pkthdr)->caplen) {`
`164`		`- fprintf(stderr, "safe_pcap_next_ex ERROR: Invalid packet length in %s:%s() line %d: packet length %u is less than capture length %u\n",`
	`163`	`+ if (!(pkthdr)->len \|\| (pkthdr)->len < (*pkthdr)->caplen) {`
	`164`	`+ fprintf(stderr, "safe_pcap_next_ex ERROR: Invalid packet length in %s:%s() line %d: packet length=%u capture length=%u\n",`
`165`	`165`	`file, funcname, line, (pkthdr)->len, (pkthdr)->caplen);`
`166`	`166`	`exit(-1);`
`167`	`167`	`}`