From 55510f8fb1cc2db6502da177c177d2fed6caf924 Mon Sep 17 00:00:00 2001
From: William Robinet <william.robinet@conostix.com>
Date: Thu, 3 Sep 2020 19:07:21 +0200
Subject: [PATCH] Fix segfault by OOB read on malformed packets (2)

---
 base/tcppack.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/base/tcppack.c b/base/tcppack.c
index bfeb268..fcdc360 100644
--- a/base/tcppack.c
+++ b/base/tcppack.c
@@ -242,7 +242,12 @@ static int process_data_segment(conn,handler,p,stream,direction)
     long l;
 
     l=p->len - p->tcp->th_off * 4;
-    
+
+    if(l < 0) {
+	printf("Malformed packet, computed TCP segment size is negative, skipping ...\n");
+	return(0);
+    }
+
     if(stream->close){
       DBG((0,"Rejecting packet received after FIN: %u:%u(%u)",
              ntohl(p->tcp->th_seq),ntohl(p->tcp->th_seq+l),l));