diff --git a/docs/CHANGELOG b/docs/CHANGELOG index e1e577eff..dce8412b4 100644 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -1,5 +1,7 @@ 10/18/2018 Version 4.3.0 beta2 + - CVE-2018-17974 heap-buffer-overflow dlt_en10mb_encode (#486) - CVE-2018-17582 heap-buffer-overflow in get_next_packet (#484) + - CVE-2018-13112 heap-buffer-overflow in get_l2len (#477 dup #408) 01/18/2018 Version 4.3.0 beta1 - Travis CI build fails due to new build images (#432) @@ -54,7 +56,7 @@ - Packet destortion --fuzz-seed option by Gabriel Ganne (#302) - Add --unique-ip-loops option to modify IPs every few loops (#296) - Netmap startup delay increase (#290) - - tcpcapinfo buffer overflow vulnerablily (#278) + - CVE-2017-6429 tcpcapinfo buffer overflow vulnerablily (#278) - Update git-clone instructions by Kyle McDonald (#277) - Allow fractions for --pps option (#270) - Print per-loop stats with --stats=0 (#269) diff --git a/src/tcpedit/plugins/dlt_en10mb/en10mb.c b/src/tcpedit/plugins/dlt_en10mb/en10mb.c index 8e08c9464..b8c2784df 100644 --- a/src/tcpedit/plugins/dlt_en10mb/en10mb.c +++ b/src/tcpedit/plugins/dlt_en10mb/en10mb.c @@ -483,9 +483,20 @@ dlt_en10mb_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, tcpr_dir_t dir) return TCPEDIT_ERROR; } + if (pktlen < ctx->l2len) { + tcpedit_seterr(ctx->tcpedit, + "Unable to process packet #" COUNTER_SPEC " since its new length less then %d Layer 2 bytes.", + ctx->tcpedit->runtime.packetnum, ctx->l2len); + return TCPEDIT_ERROR; + } + /* Make space for our new L2 header */ - if (newl2len != ctx->l2len) + if (newl2len != ctx->l2len) { + if (newl2len > ctx->l2len) + packet = safe_realloc(packet, pktlen + (newl2len - ctx->l2len)); + memmove(packet + newl2len, packet + ctx->l2len, pktlen - ctx->l2len); + } /* update the total packet length */ pktlen += newl2len - ctx->l2len;