Subject: Bugs #538 add check for packet length in do_checksum()
ID: CVE-2019-8381
Origin: v4.3.1-12-gdae97cba <https://github.com/appneta/tcpreplay/commit/v4.3.1-12-gdae97cba>
Upstream-Author: Fred Klassen <fklassen@appneta.com>
Date: Tue Mar 12 13:29:10 2019 -0700
Bug-Debian: https://bugs.debian.org/922622

--- a/src/tcpedit/checksum.c
+++ b/src/tcpedit/checksum.c
@@ -41,6 +41,7 @@
     udp_hdr_t *udp;
     icmpv4_hdr_t *icmp;
     icmpv6_hdr_t *icmp6;
+    u_char *layer;
     int ip_hl;
     int sum;
 
@@ -62,7 +63,13 @@
         proto = get_ipv6_l4proto(ipv6, len);
         dbgx(3, "layer4 proto is 0x%hx", (uint16_t)proto);
 
-        ip_hl = (u_char*)get_layer4_v6(ipv6, len) - (u_char*)data;
+        layer = (u_char*)get_layer4_v6(ipv6, len);
+        if (!layer) {
+            tcpedit_setwarn(tcpedit, "%s", "Packet to short for checksum");
+            return TCPEDIT_WARN;
+        }
+
+        ip_hl = layer - (u_char*)data;
         dbgx(3, "ip_hl proto is 0x%d", ip_hl);
 
         len -= (ip_hl - TCPR_IPV6_H);