On Thu, 2016-01-28 at 16:59 +0800, Zhouyi Zhou wrote: > Thanks Eric for your review and advice. > > I think hackers chould build a malicious h323 packet to overflow > the pointer p which will panic during the memcpy(addr, p, len) > > For example, he may fabricate a very large taddr->ipAddress.ip; > > Signed-off-by: Zhouyi Zhou <yizhouz...@ict.ac.cn> > ---
Except you did not address my feedback about potentially reading not initialized memory. if the frame length was 1000 bytes, then surely accessing memory at offset 8000 will either read garbage, or read data from a prior frame and leak secrets.
