On Sun, Apr 20, 2014 at 04:30:20PM +0200, Holger Hans Peter Freyther wrote:
ping?
i had that
patch done already. (see attachment)
what was the message id? I didn't see it.
Could you please answer this one?
This lacks input validation. The code needs to check
that the data
we read is within the bounds of the msgb and the data we write is within
the bounds too.
Do you understand the severity? It is this kind of issue that OpenSSL
had with hearbleed. In this case our length is only a uint8_t and our
msgb is most likely over-allocated so we might be lucky that nothing
else will be leaked from the application.
holger