19 Mar
2007
19 Mar
'07
10:34 p.m.
On March 19, 2007 7:23:16 PM -0700 Frank Cusack <fcusack@fcusack.com> wrote:
@@ -1176,6 +1198,9 @@ goto error; }
+ if (a_reply->length < 2 || a_state->length < 2) + goto error; + memcpy(challenge, a_reply->data, a_reply->length - 2); challenge[a_reply->length - 2] = 0;
What's this bit about? Doesn't the length check done just above this addition make this superfluous?
Ah, nevermind.
Also, I worked from the Debian source version which includes a patch for CVE-2005-0108: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0108
A version of that fix is already in cvs, and the diff is fuzzy enough that it still applied. -frank