Subject: Fix NULL pointer dereference in get_layer4_v6()
ID: CVE-2019-8377
Origin: v4.3.1-3-g5d6f191d <https://github.com/appneta/tcpreplay/commit/v4.3.1-3-g5d6f191d>
Upstream-Author: Gabriel Ganne <gabriel.ganne@mindmaze.ch>
Date: Wed Mar 6 14:15:56 2019 +0100
Bug-Debian: https://bugs.debian.org/922623

    get_ipv6_next() returns NULL on malformed packets. If that happens
    return the last header that could be read.

    This should fix issue #536

--- a/src/common/get.c
+++ b/src/common/get.c
@@ -407,6 +407,8 @@
             dbgx(3, "Going deeper due to extension header 0x%02X", proto);
             maxlen = len - (int)((u_char *)ip6_hdr - (u_char *)next);
             exthdr = get_ipv6_next(next, maxlen);
+            if (exthdr == NULL)
+                return next;
             proto = exthdr->ip_nh;
             next = exthdr;
             break;