Handle frames of 65535 octets size, add a size check [CVE-2016-6160]. Closes: #829350

debian/patches/enforce-maxpacket.patch

@@ -0,0 +1,33 @@
+Subject: tcprewrite: Handle frames of 65535 octets size
+ID: CVE-2016-6160
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: Mon Jun 29 17:08:24 2015 +0200
+Bug-Debian: https://bugs.debian.org/829350
+Last-Update: 2016-07-06
+
+diff --git a/src/defines.h.in b/src/defines.h.in
+index 3a1bf1e..5468d14 100644
+--- a/src/defines.h.in
++++ b/src/defines.h.in
+@@ -104,7 +104,7 @@ typedef struct tcpr_speed_s tcpr_speed_t;
+ #define DEFAULT_MTU 1500        /* Max Transmission Unit of standard ethernet
+                                  * don't forget *frames* are MTU + L2 header! */
+ 
+-#define MAXPACKET 65535         /* was 16436 linux loopback, but maybe something is bigger then 
++#define MAXPACKET 65549         /* was 16436 linux loopback, but maybe something is bigger then 
+                                    linux loopback */
+ 
+ #define MAX_SNAPLEN 65535       /* tell libpcap to capture the entire packet */
+diff --git a/src/tcprewrite.c b/src/tcprewrite.c
+index 90a6f2e..9c32a5e 100644
+--- a/src/tcprewrite.c
++++ b/src/tcprewrite.c
+@@ -253,6 +253,8 @@ rewrite_packets(tcpedit_t *tcpedit, pcap_t *pin, pcap_dumper_t *pout)
+         packetnum++;
+         dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen);
+ 
++        if (pkthdr.caplen > MAXPACKET)
++            errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAXPACKET);
+         /* 
+          * copy over the packet so we can pad it out if necessary and
+          * because pcap_next() returns a const ptr

debian/patches/series

@@ -1 +1,2 @@
 configure-pcap.patch
+enforce-maxpacket.patch