On Tue, 2009-09-01 at 08:17 -0400, Bob Copeland wrote: > Hi, > > My laptop was on all night and at some point got stuck in a loop. > Unfortunately I don't know exactly what happened since dmesg buffer > filled up and there was nothing incriminating in /var/log, but > here's my interpretation: > > EIP points to line 146: > > while (len > 2 && ies[0] != num) ... > > ECX holds len, which is negative (unfortunately size_t is unsigned) > EDX holds ies, looks like a valid pointer > EBX holds num, which is 0. > > This looks like this is a DoS-able bug if there are any malformed > packets, no? I think we should change 'len' to int here. Absolutely. Can you send a patch? Also to .31/stable. johannes
Attachment:
signature.asc
Description: This is a digitally signed message part
