Comment 6 for bug 416306

Technically, this is not really an incomplete fix of the previous integer overflow issues, rather a new issue affecting same code part as previous issues.

In the new attack, attacker aims to exploit a NULL pointer dereference flaw. This is achieved by sending message with non-0 offset. When such message is processed in msn_slplink_process_msg(), msn_slplink_message_find() is called to find previous parts of the message sent within the same session. With specially crafted previous messages, msn_slplink_message_find() may return a structure for ACK message, rather than request message, that later triggers NULL pointer dereference in:

  memcpy(slpmsg->buffer + offset, data, len);

In ACK message, slpmsg->buffer is NULL and attacker supplied offset can be used to control what memory area will be overwritten.