Bug #486 CVE-2018-17974 realloc memory if packet size increases

Also added check for packet size > cap len, although this may
be never be hit since #484

docs/CHANGELOG

@@ -1,5 +1,7 @@
 10/18/2018 Version 4.3.0 beta2
+    - CVE-2018-17974 heap-buffer-overflow dlt_en10mb_encode (#486)
     - CVE-2018-17582 heap-buffer-overflow in get_next_packet (#484)
+    - CVE-2018-13112 heap-buffer-overflow in get_l2len (#477 dup #408)
 
 01/18/2018 Version 4.3.0 beta1
     - Travis CI build fails due to new build images (#432)
@@ -54,7 +56,7 @@
     - Packet destortion --fuzz-seed option by Gabriel Ganne (#302)
     - Add --unique-ip-loops option to modify IPs every few loops (#296)
     - Netmap startup delay increase (#290)
-    - tcpcapinfo buffer overflow vulnerablily (#278)
+    - CVE-2017-6429 tcpcapinfo buffer overflow vulnerablily (#278)
     - Update git-clone instructions by Kyle McDonald (#277)
     - Allow fractions for --pps option (#270)
     - Print per-loop stats with --stats=0 (#269)

src/tcpedit/plugins/dlt_en10mb/en10mb.c

@@ -483,9 +483,20 @@ dlt_en10mb_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, tcpr_dir_t dir)
         return TCPEDIT_ERROR;
     }
 
+    if (pktlen < ctx->l2len) {
+        tcpedit_seterr(ctx->tcpedit,
+                "Unable to process packet #" COUNTER_SPEC " since its new length less then %d Layer 2 bytes.",
+                ctx->tcpedit->runtime.packetnum, ctx->l2len);
+        return TCPEDIT_ERROR;
+    }
+
     /* Make space for our new L2 header */
-    if (newl2len != ctx->l2len)
+    if (newl2len != ctx->l2len) {
+        if (newl2len > ctx->l2len)
+            packet = safe_realloc(packet, pktlen + (newl2len - ctx->l2len));
+
         memmove(packet + newl2len, packet + ctx->l2len, pktlen - ctx->l2len);
+    }
 
     /* update the total packet length */
     pktlen += newl2len - ctx->l2len;