|
@@ -0,0 +1,32 @@
|
|
|
+Subject: Bugs #538 add check for packet length in do_checksum()
|
|
|
+ID: CVE-2019-8381
|
|
|
+Origin: v4.3.1-12-gdae97cba <https://github.com/appneta/tcpreplay/commit/v4.3.1-12-gdae97cba>
|
|
|
+Upstream-Author: Fred Klassen <fklassen@appneta.com>
|
|
|
+Date: Tue Mar 12 13:29:10 2019 -0700
|
|
|
+Bug-Debian: https://bugs.debian.org/922622
|
|
|
+
|
|
|
+--- a/src/tcpedit/checksum.c
|
|
|
++++ b/src/tcpedit/checksum.c
|
|
|
+@@ -41,6 +41,7 @@
|
|
|
+ udp_hdr_t *udp;
|
|
|
+ icmpv4_hdr_t *icmp;
|
|
|
+ icmpv6_hdr_t *icmp6;
|
|
|
++ u_char *layer;
|
|
|
+ int ip_hl;
|
|
|
+ int sum;
|
|
|
+
|
|
|
+@@ -62,7 +63,13 @@
|
|
|
+ proto = get_ipv6_l4proto(ipv6, len);
|
|
|
+ dbgx(3, "layer4 proto is 0x%hx", (uint16_t)proto);
|
|
|
+
|
|
|
+- ip_hl = (u_char*)get_layer4_v6(ipv6, len) - (u_char*)data;
|
|
|
++ layer = (u_char*)get_layer4_v6(ipv6, len);
|
|
|
++ if (!layer) {
|
|
|
++ tcpedit_setwarn(tcpedit, "%s", "Packet to short for checksum");
|
|
|
++ return TCPEDIT_WARN;
|
|
|
++ }
|
|
|
++
|
|
|
++ ip_hl = layer - (u_char*)data;
|
|
|
+ dbgx(3, "ip_hl proto is 0x%d", ip_hl);
|
|
|
+
|
|
|
+ len -= (ip_hl - TCPR_IPV6_H);
|