[Bug 388606] Re: [MIR] librelp
Michael Terry
michael.terry at canonical.com
Fri Jul 17 16:08:08 UTC 2009
I emailed the author, Rainer Gerhards. He said this:
"I've had a quick look at the code. It looks indeed like an easy fix, but I
think there is no issue at all (thus the TODO is not yet done): as far as I
remember, this is only called from within the RELP application and not based
on anything received from the wire. So it can not be exploited, because the
current RELP code never generates a greeting of that size (it less than 512
bytes). But I will check tomorrow in more detail."
He hasn't gotten back to me yet in a couple days, so I assume no further
surprises appeared. I've sent a follow up.
As for where the function is used... It's not exposed as part of the
UI, but it is in the symbols table. It's used twice in the source, but
I'm not qualified to tell if they're safe uses myself. It would seem to
depend on how long the 'offers' array is.
--
[MIR] librelp
https://bugs.launchpad.net/bugs/388606
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list