1 The vulnerability is cause due to an integer underflow error in "recv_packet()"
2 within the handling of a received UDP packet. This can be exploited to cause
3 out-of-bounds memory access which crashes the server process via a UDP packet
4 that is smaller than 12 bytes in size.
6 http://bugs.gentoo.org/136222
8 --- 0verkill-0.16/net.c
9 +++ 0verkill-0.16/net.c
11 p=mem_alloc(max_len+12);
12 if (!p)return -1; /* not enough memory */
13 retval=recvfrom(fd,p,max_len+12,0,addr,addr_len);
14 + if (retval<12)return -1; /* not enough data from network */
15 memcpy(packet,p+12,max_len);
16 crc=p[0]+(p[1]<<8)+(p[2]<<16)+(p[3]<<24);
17 s=p[4]+(p[5]<<8)+(p[6]<<16)+(p[7]<<24);