Possible security issues to watch
Bug #422022 reported by
Michael Terry
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
librelp (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Some concerns came out of the MIR for librelp (bug 388606).
1) relpOffersToString does not bounds-check the output string (even has a "TODO" listed), as it uses a fixed 4096 size.
2) relpOfferValueAdd will wrap integers (since Data len is 255 characters, converted back to int), though nothing meaningfully depends on this yet. If an intVal is ever used for length calculates, there will be trouble. (Also note strncpy doesn't terminate if it encounters max characters, though again, currently safe due to equal sized src/dest buffers.)
Issue #1 is fixed in librelp git, so should be available once librelp 0.1.4 is released.
I don't think issue #2 was communicated to upstream yet.
To post a comment you must log in.