On Mon, Mar 29, 2021 at 2:34 PM Andreas Roeseler <andreas.a.roese...@gmail.com> wrote: > > On Sun, 2021-03-28 at 13:00 -0400, Willem de Bruijn wrote: > > On Wed, Mar 24, 2021 at 2:20 PM Andreas Roeseler > > <andreas.a.roese...@gmail.com> wrote: > > > > > > > > + if (!ext_hdr || !iio) > > > + goto send_mal_query; > > > + if (ntohs(iio->extobj_hdr.length) <= sizeof(iio- > > > >extobj_hdr)) > > > + goto send_mal_query; > > > + ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio- > > > >extobj_hdr); > > > > As asked in v3: this can have negative overflow? > > The line above checks that iio->extobj_hdr.length is greater than the > size of iio->extobj_hdr.
Completely missed that, clearly. Thanks, that's great, then.
