diff options
author | allfro <ndouba@gmail.com> | 2011-07-23 19:38:42 -0700 |
---|---|---|
committer | allfro <ndouba@gmail.com> | 2011-07-23 19:38:42 -0700 |
commit | 0e27fc96951d5a131278a17c88786ce067c3437f (patch) | |
tree | 41a2f6580e809cfd9f8fd68fb145069ed7d03f8b | |
parent | e20d0bcb9d3eed803bdcd547dbf88b1954204332 (diff) | |
download | libnet-0e27fc96951d5a131278a17c88786ce067c3437f.tar.gz |
Fixes incorrect memory block size set in the timeexceed and redirect builders. The n variable does not add the size of the payload (payload_s) for proper allocation of the buffer when payload is not NULL and payload_s is greater than 0. This results in a memcpy buffer overflow error when libnet_pblock_append is called exiting the program.
-rw-r--r-- | libnet/src/libnet_build_icmp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libnet/src/libnet_build_icmp.c b/libnet/src/libnet_build_icmp.c index 7233b3e..d46590f 100644 --- a/libnet/src/libnet_build_icmp.c +++ b/libnet/src/libnet_build_icmp.c @@ -313,7 +313,7 @@ const uint8_t *payload, uint32_t payload_s, libnet_t *l, libnet_ptag_t ptag) } /* size of memory block */ - n = LIBNET_ICMPV4_TIMXCEED_H; + n = LIBNET_ICMPV4_TIMXCEED_H + payload_s; /* * FREDRAYNAL: as ICMP checksum includes what is embedded in * the payload, and what is after the ICMP header, we need to include @@ -362,7 +362,7 @@ libnet_ptag_t ptag) return (-1); } - n = LIBNET_ICMPV4_REDIRECT_H; /* size of memory block */ + n = LIBNET_ICMPV4_REDIRECT_H + payload_s; /* size of memory block */ /* * FREDRAYNAL: as ICMP checksum includes what is embedded in * the payload, and what is after the ICMP header, we need to include |