From 4bb7c56273e7ee22da91ca9a8587a1589e57b53c Mon Sep 17 00:00:00 2001
From: Fred Klassen <fklassen@appneta.com>
Date: Tue, 2 Jun 2020 17:07:20 -0700
Subject: [PATCH 1/2] Bug #594 use safe functions for flow hash malloc/free

---
 src/common/flows.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/common/flows.c b/src/common/flows.c
index 0bd061300..74c0ec2f3 100644
--- a/src/common/flows.c
+++ b/src/common/flows.c
@@ -90,7 +90,7 @@ static inline flow_hash_entry_t *hash_add_entry(flow_hash_table_t *fht, const ui
 
     assert(hv < fht->num_buckets);
 
-    he = malloc(sizeof (*he));
+    he = safe_malloc(sizeof (*he));
     if (!he) {
         warn("out of memory");
         return NULL;
@@ -321,6 +321,7 @@ flow_entry_type_t flow_decode(flow_hash_table_t *fht, const struct pcap_pkthdr *
         icmp_hdr = (icmpv4_hdr_t*)(pktdata + ip_len + l2_len);
         entry.src_port = icmp_hdr->icmp_type;
         entry.dst_port = icmp_hdr->icmp_code;
+        break;
     }
 
     /* hash the 5-tuple */
@@ -332,15 +333,15 @@ flow_entry_type_t flow_decode(flow_hash_table_t *fht, const struct pcap_pkthdr *
 static void flow_cache_clear(flow_hash_table_t *fht)
 {
     flow_hash_entry_t *fhe = NULL;
-    flow_hash_entry_t *fhe_tmp = NULL;
+    flow_hash_entry_t *fhe_next = NULL;
     size_t i;
 
     for (i = 0; i < fht->num_buckets; i++) {
-        if ( (fhe = fht->buckets[i]) ) {
+        if ((fhe = fht->buckets[i]) != NULL) {
             while (fhe) {
-                fhe_tmp = fhe;
-                fhe = fhe->next;
-                free(fhe_tmp);
+                fhe_next = fhe->next;
+                safe_free(fhe);
+                fhe = fhe_next;
             }
             fht->buckets[i] = NULL;
         }
@@ -366,6 +367,6 @@ void flow_hash_table_release(flow_hash_table_t *fht)
         return;
 
     flow_cache_clear(fht);
-    free(fht->buckets);
-    free(fht);
+    safe_free(fht->buckets);
+    safe_free(fht);
 }

From 13e555a1376e81bcd798438b029a85ec44d8aef8 Mon Sep 17 00:00:00 2001
From: Fred Klassen <fklassen@appneta.com>
Date: Wed, 3 Jun 2020 11:15:07 -0700
Subject: [PATCH 2/2] Bug #594 Add some additional headroom to cached packets

When using '--preload-pcap' option any additional VLAN headers
results in Heap Buffer Overflow. Add 512 bytes additional buffer
space.

TODO: Add intelligence to understand when and how much memory
to allocate/reallocate based on tcpedit function.
---
 src/defines.h.in   | 2 ++
 src/send_packets.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/defines.h.in b/src/defines.h.in
index d46cd0e64..3e4ba06d6 100644
--- a/src/defines.h.in
+++ b/src/defines.h.in
@@ -161,6 +161,8 @@ typedef struct tcpr_speed_s {
                                          * couple VLAN headers or a L2 header
                                          */
 
+#define PACKET_HEADROOM 512     /* additional headroom allocated for packets to accommodate editing */
+
 #define DNS_RESOLVE 1
 #define DNS_DONT_RESOLVE 0
 
diff --git a/src/send_packets.c b/src/send_packets.c
index 672e8e727..ca93bfaf1 100644
--- a/src/send_packets.c
+++ b/src/send_packets.c
@@ -1055,7 +1055,7 @@ get_next_packet(tcpreplay_t *ctx, pcap_t *pcap, struct pcap_pkthdr *pkthdr, int
                     (*prev_packet)->next = NULL;
                     pktlen = pkthdr->len;
 
-                    (*prev_packet)->pktdata = safe_malloc(pktlen);
+                    (*prev_packet)->pktdata = safe_malloc(pktlen + PACKET_HEADROOM);
                     memcpy((*prev_packet)->pktdata, pktdata, pktlen);
                     memcpy(&((*prev_packet)->pkthdr), pkthdr, sizeof(struct pcap_pkthdr));
                 }