On Wed, Sep 09, 2020 at 05:37:37AM +0800, nan chen wrote:
> Looks like the judgment of len The judgment cannot avoid the memory overflow of the memcpy below.
> case LCP_OPTION_ACCM: /* async control character
> map */
> + if (len < sizeof(valid
There were two bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) We assume that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.
Reported-by: ChenNan Of Chaitin Security Research Lab
Fix
