On Tue, Sep 07, 2010 at 04:40:38PM +0200, Claudio Jeker wrote:
> + if (objhdr.ieo_ctype & 0x02) {
> + /* interface name */
> + if (olen < buf[0]) {
> + printf("|)");
> + return;
> + }
> + name = strndup(buf + 1, buf[0]);
> + olen -= buf[0];
> + buf += buf[0];
> + }
buf[0] is the length of the entire sub-object not just the interface
name, so I think we should a) check that it's in the range [1,64] and
b) replace strndup(buf + 1, buf[0]) with strndup(buf + 1, buf[0] - 1).
There's also a memory leak that name might not be free(3)'d before
return if the MTU field is truncated.
