Saikrishna, I don't believe that patch is complete:
+++ simgear/simgear/io/sg_socket_udp.cxx 2013-08-04 22:21:16.174132010
-0500
@@ -104,8 +104,9 @@
}
int result;
+ int size = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE;
- if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
+ if ( (result = sock.recv(buf, size, 0)) >= 0 ) {
buf[result] = '\0';
// printf("msg received = %s\n", buf);
}
And here's the corresponding prototypes:
int SGSocketUDP::read( char *buf, int length ) {
ssize_t recv(int sockfd, void *buf, size_t len, int flags);
'length' could be negative, thus 'size' could be negative. When the signed size
is
passed to recv(), it may become a very large positive integer, think above two
billion,
and thus allow recv() to overwrite the buf buffer.
There needs to be a similar check to ensure that length is non-negative.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1077624
Title:
FFe: Update Flightgear to version 2.10.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
