Fixes incorrect memory block size set in the timeexceed and redirect builders. The n variable does not add the size of the payload (payload_s) for proper allocation of the buffer when payload is not NULL and payload_s is greater than 0. This results in a memcpy buffer overflow error when libnet_pblock_append is called exiting the program.

1 files changed, 2 insertions, 2 deletions

diff --git a/libnet/src/libnet_build_icmp.c b/libnet/src/libnet_build_icmp.c
index 7233b3e..d46590f 100644
--- a/libnet/src/libnet_build_icmp.c
+++ b/libnet/src/libnet_build_icmp.c
@@ -313,7 +313,7 @@ const uint8_t *payload, uint32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
     } 
 
     /* size of memory block */
-    n = LIBNET_ICMPV4_TIMXCEED_H;
+    n = LIBNET_ICMPV4_TIMXCEED_H + payload_s;
     /* 
      * FREDRAYNAL: as ICMP checksum includes what is embedded in 
      * the payload, and what is after the ICMP header, we need to include
@@ -362,7 +362,7 @@ libnet_ptag_t ptag)
         return (-1);
     } 
 
-    n = LIBNET_ICMPV4_REDIRECT_H;               /* size of memory block */
+    n = LIBNET_ICMPV4_REDIRECT_H + payload_s;               /* size of memory block */
     /* 
      * FREDRAYNAL: as ICMP checksum includes what is embedded in 
      * the payload, and what is after the ICMP header, we need to include