On 2018-08-17 05:53 AM, Pekka Paalanen wrote:
> On Tue, 14 Aug 2018 13:07:53 +0200
> Michal Srb wrote:
>
>> If the remote side sends sufficiently large `length` field, it will
>> overflow the `p` pointer. Technically it is undefined behavior, in
>> practice it makes `p < end`, so the length check
On Tue, 14 Aug 2018 13:07:53 +0200
Michal Srb wrote:
> If the remote side sends sufficiently large `length` field, it will
> overflow the `p` pointer. Technically it is undefined behavior, in
> practice it makes `p < end`, so the length check passes. Attempts to
> access the data later causes cra
If the remote side sends sufficiently large `length` field, it will
overflow the `p` pointer. Technically it is undefined behavior, in
practice it makes `p < end`, so the length check passes. Attempts to
access the data later causes crashes.
This issue manifests only on 32bit systems, but the beha
