Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix Use After Free for large message sizes
The buffer to receive messages is initialised to 16k. If a message is received that is larger than that then the buffer is "realloc'd". This can cause the location of the underlying buffer to change. Anything that is referring to the old location will be referring to free'd data. In the recent commit c1ef7c9 (master) and 4b390b6 (1.1.0) the point in the code where the message buffer is grown was changed. However s->init_msg was not updated to point at the new location. CVE-2016-6309 Reviewed-by: Emilia Käsper <email@example.com> (cherry picked from commit 0d698f6)
- Loading branch information