Bug #6787
closed
decode/pppoe: Suspicious pointer scaling
Added by Philippe Antoine 9 months ago.
Updated 8 months ago.
Description
pppoedt = pppoedt + (4 + tag_length);. looks like it can overflow on 32-bits system
- Status changed from New to In Review
- Tracker changed from Security to Bug
- Private changed from Yes to No
- Severity deleted (
MODERATE)
Actually, this is a bug, but not a security issue.
There is no unsigned overflow because we upgrade a u16 read on the network to u32
But there is still the bug that we do pointer arithmetic with something different than the u8 pkt buffer...
- Target version changed from TBD to 8.0.0-beta1
- Label deleted (
Needs backport to 6.0)
- Label deleted (
Needs backport to 7.0)
- Subject changed from decode/ppoe: Suspicious pointer scaling to decode/pppoe: Suspicious pointer scaling
Victor Julien wrote in #note-9:
catenacyber can you fix the title of the backport tickets?
Had to look twice at the diff to see it :-p
- Status changed from In Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF