The PoC has not been fully tested, because it should trigger the vulnerability,
10
-
i.e integer overflow, that leads to a buffer overflow on the heap is reached after 1048576 packets sent, because 1048576\*4 overflow integer of 32 bits.
10
+
i.e integer overflow, that leads to a buffer overflow on the heap is reached after 1048576 packets sent, because 1048576\*4096 overflow integer of 32 bits.
11
11
12
12
Did not found any way to cheat on the size, to me seems that fragment len, that is 16 bits, is checked against the real payload size, they must be coherent.
