Merge pull request #595 from appneta/Bug_#594_double_free_enet-vlan-add

Bug #594 double free enet vlan add
appneta · Jun 3, 2020 · 5f9b2c2 · 5f9b2c2
2 parents 00ef0e8 + 13e555a
commit 5f9b2c2
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 9 deletions.
diff --git a/src/common/flows.c b/src/common/flows.c
@@ -90,7 +90,7 @@ static inline flow_hash_entry_t *hash_add_entry(flow_hash_table_t *fht, const ui
 
     assert(hv < fht->num_buckets);
 
-    he = malloc(sizeof (*he));
+    he = safe_malloc(sizeof (*he));
     if (!he) {
         warn("out of memory");
         return NULL;
@@ -321,6 +321,7 @@ flow_entry_type_t flow_decode(flow_hash_table_t *fht, const struct pcap_pkthdr *
         icmp_hdr = (icmpv4_hdr_t*)(pktdata + ip_len + l2_len);
         entry.src_port = icmp_hdr->icmp_type;
         entry.dst_port = icmp_hdr->icmp_code;
+        break;
     }
 
     /* hash the 5-tuple */
@@ -332,15 +333,15 @@ flow_entry_type_t flow_decode(flow_hash_table_t *fht, const struct pcap_pkthdr *
 static void flow_cache_clear(flow_hash_table_t *fht)
 {
     flow_hash_entry_t *fhe = NULL;
-    flow_hash_entry_t *fhe_tmp = NULL;
+    flow_hash_entry_t *fhe_next = NULL;
     size_t i;
 
     for (i = 0; i < fht->num_buckets; i++) {
-        if ( (fhe = fht->buckets[i]) ) {
+        if ((fhe = fht->buckets[i]) != NULL) {
             while (fhe) {
-                fhe_tmp = fhe;
-                fhe = fhe->next;
-                free(fhe_tmp);
+                fhe_next = fhe->next;
+                safe_free(fhe);
+                fhe = fhe_next;
             }
             fht->buckets[i] = NULL;
         }
@@ -366,6 +367,6 @@ void flow_hash_table_release(flow_hash_table_t *fht)
         return;
 
     flow_cache_clear(fht);
-    free(fht->buckets);
-    free(fht);
+    safe_free(fht->buckets);
+    safe_free(fht);
 }
diff --git a/src/defines.h.in b/src/defines.h.in
@@ -161,6 +161,8 @@ typedef struct tcpr_speed_s {
                                          * couple VLAN headers or a L2 header
                                          */
 
+#define PACKET_HEADROOM 512     /* additional headroom allocated for packets to accommodate editing */
+
 #define DNS_RESOLVE 1
 #define DNS_DONT_RESOLVE 0
 

diff --git a/src/send_packets.c b/src/send_packets.c
@@ -1055,7 +1055,7 @@ get_next_packet(tcpreplay_t *ctx, pcap_t *pcap, struct pcap_pkthdr *pkthdr, int
                     (*prev_packet)->next = NULL;
                     pktlen = pkthdr->len;
 
-                    (*prev_packet)->pktdata = safe_malloc(pktlen);
+                    (*prev_packet)->pktdata = safe_malloc(pktlen + PACKET_HEADROOM);
                     memcpy((*prev_packet)->pktdata, pktdata, pktlen);
                     memcpy(&((*prev_packet)->pkthdr), pkthdr, sizeof(struct pcap_pkthdr));
                 }