© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I asked:
"Any news? So you're saying that the array of offers is guaranteed to be
small in the two usages of the function in RELP?"
And Rainer replied:
"Yes, for the current version. The offers are generated based on capabilities
and the current code has not enough capabilities to exhaust the buffer.
Anyhow, I'll look at it as soon as I am finished with my rsyslog threading
work. Probably the best cure is count the size and do a realloc() if it is
exhausted. That safes it for future development (it's too easy to forget
about fixing it once other things are developed...).
None of the offers is user-provided, though, so even in this case I don't see
a way to exploit it (except crashing on its own, which is kind of a DoS...)."