Comment 2 for bug 388606

I emailed the author, Rainer Gerhards. He said this:

"I've had a quick look at the code. It looks indeed like an easy fix, but I
think there is no issue at all (thus the TODO is not yet done): as far as I
remember, this is only called from within the RELP application and not based
on anything received from the wire. So it can not be exploited, because the
current RELP code never generates a greeting of that size (it less than 512
bytes). But I will check tomorrow in more detail."

He hasn't gotten back to me yet in a couple days, so I assume no further surprises appeared. I've sent a follow up.

As for where the function is used... It's not exposed as part of the UI, but it is in the symbols table. It's used twice in the source, but I'm not qualified to tell if they're safe uses myself. It would seem to depend on how long the 'offers' array is.