Public bug reported:
Some concerns came out of the MIR for librelp (bug 388606).
1) relpOffersToString does not bounds-check the output string (even has a
"TODO" listed), as it uses a fixed 4096 size.
2) relpOfferValueAdd will wrap integers (since Data len is 255 characters,
converted back to int), though nothing meaningfully depends on this yet. If an
intVal is ever used for length calculates, there will be trouble. (Also note
strncpy doesn't terminate if it encounters max characters, though again,
currently safe due to equal sized src/dest buffers.)
Issue #1 is fixed in librelp git, so should be available once librelp
0.1.4 is released.
I don't think issue #2 was communicated to upstream yet.
** Affects: librelp (Ubuntu)
Importance: Undecided
Status: New
--
Possible security issues to watch
https://bugs.launchpad.net/bugs/422022
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
