If you have a build issue, consider downloading the latest release
Otherwise, to report a bug, please fill out the reproduction steps
(below) and delete these introductory paragraphs. Thanks!
Describe the bug
There is a heap-overflow bug in get_ipv6_next. Different from #718 (The crash point is in line 679, *((int*)((u_char *)exthdr + len))), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen).
You are opening a bug report against the Tcpreplay project: we use GitHub Issues for tracking bug reports and feature requests.
If you have a question about how to use Tcpreplay, you are at the wrong site. You can ask a question on the tcpreplay-users mailing list or on Stack Overflow with [tcpreplay] tag. General help is available here.
If you have a build issue, consider downloading the latest release
Otherwise, to report a bug, please fill out the reproduction steps (below) and delete these introductory paragraphs. Thanks!
Describe the bug There is a heap-overflow bug in get_ipv6_next. Different from #718 (The crash point is in line 679,
*((int*)((u_char *)exthdr + len))
), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen
).To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen. The program does not crash.
Screenshots
System (please complete the following information):
Additional context POC poc.zip