Actions
Bug #6787
closeddecode/pppoe: Suspicious pointer scaling
Affected Versions:
Effort:
Difficulty:
Label:
Description
pppoedt = pppoedt + (4 + tag_length);. looks like it can overflow on 32-bits system
Actions
Added by Philippe Antoine over 1 year ago. Updated over 1 year ago.
Description
pppoedt = pppoedt + (4 + tag_length);. looks like it can overflow on 32-bits system
Actually, this is a bug, but not a security issue.
There is no unsigned overflow because we upgrade a u16 read on the network to u32
But there is still the bug that we do pointer arithmetic with something different than the u8 pkt buffer...
@Philippe Antoine can you fix the title of the backport tickets?
Victor Julien wrote in #note-9:
catenacyber can you fix the title of the backport tickets?
Had to look twice at the diff to see it :-p