Daniel Willmann
1fc8ec66a3
The size parameter of msgb_alloc is uint16_t so any length value above 65535 will allocate a msgb with incorrect size. This patch changes the type of rdlen and rc to ssize_t (the return value of read) and guards against the read length being larger than UINT16_MAX. To reproduce the issue run: echo -en "\x00\x01\x00\x01\x01" |socat stdin tcp:localhost:2775 |
||
---|---|---|
debian | ||
hlrsync | ||
linux-kernel | ||
openbsc | ||
wireshark | ||
README |