Leo Bicknell wrote: > I point out both of these are security risks. Granted, fairly > minor, but they allow someone to get all/part of a previous packet's > data, when they should have it. This sort of thing has been used > as an attack vector before. I think fixing these to pad with some > generated (0's, 1's, /dev/random, whatever) should be a top priority.
Not /dev/random. It's going to be ignored as invalid anyway, since it's after the end of the packet according to the length. So it's not like trying to obfuscate it will magically put an attacker at some disadvantage. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
