tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: state of netbt
Le 04/08/2018 à 22:14, Iain Hibbert a écrit :
Hi
While that may be strictly true, at this level we are parsing data provided
by the local hardware itself
I know that
[...]
If you think it is really necessary to parse this locally produced data in
a more complete way, I can look at it later (I'm away sailing now)
I don't "think" it is, it just is. For the same reason that there are already
many other checks in this same piece of code.
But what I'm talking about is the code in general, not just this example
(which I threw down there, because that's the first I found when I spent two
minutes to re-read the code the other day).
Another example:
l2cap_recv_frame -> l2cap_recv_signal -> l2cap_recv_command_rej
We do:
m_copydata(m, 0, cmd.length, &cp);
Where cmd.length can actually be zero. Then we read "cp", but it's not
initialized. It doesn't seem impossible to me for an attacker to retrieve
this leaked stack content.
Etc, whatever, I only wanted to know if the code was considered as dead and
not worth fixing. Since the answer is "no", I guess I'll fix it...
Home |
Main Index |
Thread Index |
Old Index