Re: state of netbt

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 04/08/2018 à 22:14, Iain Hibbert a écrit :
> Hi
>
> While that may be strictly true, at this level we are parsing data provided
> by the local hardware itself

I know that

> [...]
> If you think it is really necessary to parse this locally produced data in
> a more complete way, I can look at it later (I'm away sailing now)

I don't "think" it is, it just is. For the same reason that there are already
many other checks in this same piece of code.

But what I'm talking about is the code in general, not just this example
(which I threw down there, because that's the first I found when I spent two
minutes to re-read the code the other day).

Another example:

	l2cap_recv_frame -> l2cap_recv_signal -> l2cap_recv_command_rej

We do:

	m_copydata(m, 0, cmd.length, &cp);

Where cmd.length can actually be zero. Then we read "cp", but it's not
initialized. It doesn't seem impossible to me for an attacker to retrieve
this leaked stack content.

Etc, whatever, I only wanted to know if the code was considered as dead and
not worth fixing. Since the answer is "no", I guess I'll fix it...