From 9062a91125065314877e03fc1e6ebbea7fc01ee8 Mon Sep 17 00:00:00 2001
From: Fred Klassen <fklassen@appneta.com>
Date: Thu, 18 Oct 2018 14:20:46 -0700
Subject: [PATCH] Bug #486 CVE-2018-17974 realloc memory if packet size
 increases

Also added check for packet size > cap len, although this may
be never be hit since #484
---
 docs/CHANGELOG                          |  4 +++-
 src/tcpedit/plugins/dlt_en10mb/en10mb.c | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/docs/CHANGELOG b/docs/CHANGELOG
index e1e577eff..dce8412b4 100644
--- a/docs/CHANGELOG
+++ b/docs/CHANGELOG
@@ -1,5 +1,7 @@
 10/18/2018 Version 4.3.0 beta2
+    - CVE-2018-17974 heap-buffer-overflow dlt_en10mb_encode (#486)
     - CVE-2018-17582 heap-buffer-overflow in get_next_packet (#484)
+    - CVE-2018-13112 heap-buffer-overflow in get_l2len (#477 dup #408)
 
 01/18/2018 Version 4.3.0 beta1
     - Travis CI build fails due to new build images (#432)
@@ -54,7 +56,7 @@
     - Packet destortion --fuzz-seed option by Gabriel Ganne (#302)
     - Add --unique-ip-loops option to modify IPs every few loops (#296)
     - Netmap startup delay increase (#290)
-    - tcpcapinfo buffer overflow vulnerablily (#278)
+    - CVE-2017-6429 tcpcapinfo buffer overflow vulnerablily (#278)
     - Update git-clone instructions by Kyle McDonald (#277)
     - Allow fractions for --pps option (#270)
     - Print per-loop stats with --stats=0 (#269)
diff --git a/src/tcpedit/plugins/dlt_en10mb/en10mb.c b/src/tcpedit/plugins/dlt_en10mb/en10mb.c
index 8e08c9464..b8c2784df 100644
--- a/src/tcpedit/plugins/dlt_en10mb/en10mb.c
+++ b/src/tcpedit/plugins/dlt_en10mb/en10mb.c
@@ -483,9 +483,20 @@ dlt_en10mb_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, tcpr_dir_t dir)
         return TCPEDIT_ERROR;
     }
 
+    if (pktlen < ctx->l2len) {
+        tcpedit_seterr(ctx->tcpedit,
+                "Unable to process packet #" COUNTER_SPEC " since its new length less then %d Layer 2 bytes.",
+                ctx->tcpedit->runtime.packetnum, ctx->l2len);
+        return TCPEDIT_ERROR;
+    }
+
     /* Make space for our new L2 header */
-    if (newl2len != ctx->l2len)
+    if (newl2len != ctx->l2len) {
+        if (newl2len > ctx->l2len)
+            packet = safe_realloc(packet, pktlen + (newl2len - ctx->l2len));
+
         memmove(packet + newl2len, packet + ctx->l2len, pktlen - ctx->l2len);
+    }
 
     /* update the total packet length */
     pktlen += newl2len - ctx->l2len;