29 Apr
2014
29 Apr
'14
8:52 a.m.
On Sun, Apr 20, 2014 at 04:30:20PM +0200, Holger Hans Peter Freyther wrote:
ping?
i had that patch done already. (see attachment)
what was the message id? I didn't see it.
Could you please answer this one?
This lacks input validation. The code needs to check that the data we read is within the bounds of the msgb and the data we write is within the bounds too.
Do you understand the severity? It is this kind of issue that OpenSSL had with hearbleed. In this case our length is only a uint8_t and our msgb is most likely over-allocated so we might be lucky that nothing else will be leaked from the application.
holger