Subject: Fix NULL pointer dereference get_ipv6_l4proto()
ID: CVE-2019-8376
Origin: v4.3.1-2-gecee2ace <https://github.com/appneta/tcpreplay/commit/v4.3.1-2-gecee2ace>
Upstream-Author: Gabriel Ganne <gabriel.ganne@mindmaze.ch>
Date: Wed Mar 6 14:31:08 2019 +0100
Bug-Debian: https://bugs.debian.org/922624

    get_ipv6_next() returns NULL on malformed packets. If that happens
    return the last proto that could be read.

    This should fix issue #537

--- a/src/common/get.c
+++ b/src/common/get.c
@@ -536,6 +536,8 @@
             case TCPR_IPV6_NH_HBH:
                 dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
                 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
+                if (exthdr == NULL)
+                    return proto;
                 proto = exthdr->ip_nh;
                 ptr = (u_char *)exthdr;
                 break;