I was looking at this patch, but there seems to be an error in it: unsigned char slc_reply[128]; +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; unsigned char *slc_replyp;
Should the value for slc_reply_eom not be this instead? unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1]; Considering the conditionals are the following: + if (&slc_replyp[6+2] > slc_reply_eom) + return; .. and .. + /* The end of negotiation command requires 2 bytes. */ + if (&slc_replyp[2] > slc_reply_eom) + return; If you don't subtract 1 from the sizeof(slc_reply) or change the conditional operators to >=, then you could try to write one byte past the end of the buffer. -- Steve Kiernan Juniper Networks _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
