On Sun, 27 Mar 2016, Yuriy M. Kaminskiy wrote:
Ping? I'd like to stress out this issue has security imlications. At very least, DoS (and this is not a standalone application, so it is not a minor issue), and maybe host memory exposure too. (However, it is only heap over-reads, without heap/stack over-writes, so no risk of escalating to remote code execution).
I can only agree that we need cleanups and fixes to make the code less trusting of remote packets.
It'd be easier if you'd break up your patch in smaller chunks so that they are easier to review and merge step by step and I would also appreciate if you'd add comments or use defines when you use magic constants in the code to aid reviewers and future readers of the code to realize that the numbers come from.
-- / daniel.haxx.se _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
