Bug #571 do not allocate MAXPACKET on stack

Now that MAXPACKET size has increased, it is no longer reasonable to allocate this much on the stack.
appneta · Jun 2, 2020 · 0e071da · 0e071da
1 parent 7f933e2
commit 0e071da
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 6 deletions.
diff --git a/src/tcpedit/plugins/dlt_hdlc/hdlc.c b/src/tcpedit/plugins/dlt_hdlc/hdlc.c
@@ -228,7 +228,6 @@ dlt_hdlc_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, _U_ tcpr_dir_t di
     hdlc_config_t *config = NULL;
     hdlc_extra_t *extra = NULL;
     tcpeditdlt_plugin_t *plugin = NULL;
-    u_char tmpbuff[MAXPACKET];
     int newpktlen;
 
     assert(ctx);
@@ -244,8 +243,10 @@ dlt_hdlc_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, _U_ tcpr_dir_t di
     if (ctx->l2len > 4) {
         memmove(packet + 4, packet + ctx->l2len, pktlen - ctx->l2len);
     } else if (ctx->l2len < 4) {
+        u_char *tmpbuff = safe_malloc(pktlen);
         memcpy(tmpbuff, packet, pktlen);
         memcpy(packet + 4, (tmpbuff + ctx->l2len), pktlen - ctx->l2len);
+        safe_free(tmpbuff);
     }
 
     /* update the total packet length */

diff --git a/src/tcpedit/plugins/dlt_user/user.c b/src/tcpedit/plugins/dlt_user/user.c
@@ -227,7 +227,6 @@ dlt_user_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, tcpr_dir_t dir)
 {
     user_config_t *config;
     tcpeditdlt_plugin_t *plugin;
-    u_char tmpbuff[MAXPACKET];
 
     assert(ctx);
     assert(packet);
@@ -247,8 +246,10 @@ dlt_user_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, tcpr_dir_t dir)
     if (ctx->l2len > config->length) {
         memmove(packet + config->length, packet + ctx->l2len, pktlen - ctx->l2len);
     } else if (ctx->l2len < config->length) {
+        u_char *tmpbuff = safe_malloc(pktlen);
         memcpy(tmpbuff, packet, pktlen);
         memcpy(packet + config->length, (tmpbuff + ctx->l2len), pktlen - ctx->l2len);
+        safe_free(tmpbuff);
     }
 
     /* update the total packet length */

diff --git a/src/tcpedit/tcpedit_opts.def b/src/tcpedit/tcpedit_opts.def
@@ -175,7 +175,7 @@ flag = {
     value       = m;
     arg-type    = number;
     max         = 1;
-    arg-range   = "1->MAXPACKET";
+    arg-range   = "1->MAX_SNAPLEN";
     default     = DEFAULT_MTU;
     descrip     = "Override default MTU length (1500 bytes)";
     doc         = <<- EOText

diff --git a/src/tcpprep.c b/src/tcpprep.c
@@ -325,12 +325,14 @@ process_raw_packets(pcap_t * pcap)
     const u_char *pktdata = NULL;
     COUNTER packetnum = 0;
     int l2len;
-    u_char ipbuff[MAXPACKET], *buffptr;
+    u_char *ipbuff, *buffptr;
     tcpr_dir_t direction = TCPR_DIR_ERROR;
     tcpprep_opt_t *options = tcpprep->options;
 
     assert(pcap);
 
+    ipbuff = safe_malloc(MAXPACKET);
+
     while ((pktdata = safe_pcap_next(pcap, &pkthdr)) != NULL) {
         packetnum++;
 
@@ -566,6 +568,8 @@ process_raw_packets(pcap_t * pcap)
 #endif
     }
 
+    safe_free(ipbuff);
+
     return packetnum;
 }
 

diff --git a/src/tcprewrite.c b/src/tcprewrite.c
@@ -261,8 +261,8 @@ rewrite_packets(tcpedit_t *tcpedit, pcap_t *pin, pcap_dumper_t *pout)
         packetnum++;
         dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen);
 
-        if (pkthdr.caplen > MAXPACKET)
-            errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAXPACKET);
+        if (pkthdr.caplen > MAX_SNAPLEN)
+            errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAX_SNAPLEN);
         /* 
          * copy over the packet so we can pad it out if necessary and
          * because pcap_next() returns a const ptr