|
|
|
|
|
|
by peterwwillis
4710 days ago
|
|
|
tl;dr There is a buffer overflow in read_packet(). See below. edit Shit, i'm wrong. I missed this line 599 of Lossless_UDP.c: if (size > MAX_DATA_SIZE)
return 1;
That is the only section that verifies the size of the memory being copied, which is still dangerous. Every memcpy should enforce the size being no greater than the size of Data.data, and not rely on .size having been previously set properly. |
|
|