OpenBSD overflow

[Erg Noor <fuzzingrf () yandex ru>]

Hi,


Fun OpenBSD bug.

ip_dooptions() will allow IPOPT_SSRR with optlen = 2.

save_rte() will set isr_nhops to very large value, which will cause 
overflow in next ip_srcroute() call.


More info is here https://github.com/fuzzingrf/openbsd_tcpip_overflow/


-erg
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/