Commit f7fdface authored by Committed by Derek Foreman
connection: Prevent pointer overflow from large lengths.
If the remote side sends sufficiently large `length` field, it will overflow the `p` pointer. Technically it is undefined behavior, in practice it makes `p < end`, so the length check passes. Attempts to access the data later causes crashes. This issue manifests only on 32bit systems, but the behavior is undefined everywhere. Reviewed-by: Pekka Paalanen <firstname.lastname@example.org> Reviewed-by: Derek Foreman <email@example.com>
Showing with 7 additions and 5 deletions