Subject: tcprewrite: Handle frames of 65535 octets size ID: CVE-2016-6160 Author: Christoph Biedl Date: Mon Jun 29 17:08:24 2015 +0200 Bug-Debian: https://bugs.debian.org/829350 Last-Update: 2016-07-06 diff --git a/src/defines.h.in b/src/defines.h.in index 3a1bf1e..5468d14 100644 --- a/src/defines.h.in +++ b/src/defines.h.in @@ -104,7 +104,7 @@ typedef struct tcpr_speed_s tcpr_speed_t; #define DEFAULT_MTU 1500 /* Max Transmission Unit of standard ethernet * don't forget *frames* are MTU + L2 header! */ -#define MAXPACKET 65535 /* was 16436 linux loopback, but maybe something is bigger then +#define MAXPACKET 65549 /* was 16436 linux loopback, but maybe something is bigger then linux loopback */ #define MAX_SNAPLEN 65535 /* tell libpcap to capture the entire packet */ diff --git a/src/tcprewrite.c b/src/tcprewrite.c index 90a6f2e..9c32a5e 100644 --- a/src/tcprewrite.c +++ b/src/tcprewrite.c @@ -253,6 +253,8 @@ rewrite_packets(tcpedit_t *tcpedit, pcap_t *pin, pcap_dumper_t *pout) packetnum++; dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen); + if (pkthdr.caplen > MAXPACKET) + errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAXPACKET); /* * copy over the packet so we can pad it out if necessary and * because pcap_next() returns a const ptr