On 2024-12-23 14:27, exploit dev wrote:
In decode_header(), assign_string_n() takes input from header.uname as
value and also as size_t.
[image: image.png]
I didn't look at the images, for what I hope are obvious security
reasons. If they contain important info please resend as text. (In
gene
my bad, I missed that uname is of max size 31.
Le lun. 23 déc. 2024 à 15:37, exploit dev a écrit :
> Hello,
>
> In decode_header(), assign_string_n() takes input from header.uname as
> value and also as size_t.
> [image: image.png]
> If value and n are both controlled, the "l" variable is prone
Hello,
In decode_header(), assign_string_n() takes input from header.uname as
value and also as size_t.
[image: image.png]
If value and n are both controlled, the "l" variable is prone to
overflowing inside the xmalloc(l+1)
which will under-allocate p, and over-copy value into it.
[image: image.
