Technically, this is not really an incomplete fix of the previous integer overflow issues, rather a new issue affecting same code part as previous issues.
In the new attack, attacker aims to exploit a NULL pointer dereference flaw. This is achieved by sending message with non-0 offset. When such message is processed in msn_slplink_process_msg(), msn_slplink_message_find() is called to find previous parts of the message sent within the same session. With specially crafted previous messages, msn_slplink_message_find() may return a structure for ACK message, rather than request message, that later triggers NULL pointer dereference in:
memcpy(slpmsg->buffer + offset, data, len);
In ACK message, slpmsg->buffer is NULL and attacker supplied offset can be used to control what memory area will be overwritten.
Technically, this is not really an incomplete fix of the previous integer overflow issues, rather a new issue affecting same code part as previous issues.
In the new attack, attacker aims to exploit a NULL pointer dereference flaw. This is achieved by sending message with non-0 offset. When such message is processed in msn_slplink_ process_ msg(), msn_slplink_ message_ find() is called to find previous parts of the message sent within the same session. With specially crafted previous messages, msn_slplink_ message_ find() may return a structure for ACK message, rather than request message, that later triggers NULL pointer dereference in:
memcpy( slpmsg- >buffer + offset, data, len);
In ACK message, slpmsg->buffer is NULL and attacker supplied offset can be used to control what memory area will be overwritten.