> I wonder why it was reported as a security risk. My concern is the third gnutls_record_recv() call. 'maxlen' argument of TLS_readline() was passed to the call as is, and TLS_readline() callers *always pass the full size* of TLS_buffer[] as 'maxlen', but pointer passed to the gnutls_record_recv() is (TLS_buffer + some offset). So, in theory, remote side could send specifically prepared data which could overwrite up to MAXTOREAD bytes past the buffer. As I'm not a security expert, I can't say for sure if it is really exploitable or not, but it does not look good at all.
-- ...Bye..Dmitry. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
