No subject

[Ian Jackson]

Simon writes:
> Right. Now I think I have some kind of an explanation. The problem
> does seem to be in buf_remaining_space, because when my watchpoint on
> st->buff goes off, the code being executed is in buf_append_uint8, on
> a buffer looking like this:

Simon's explanation, sent to me by private email, was entirely
correct.  Here is the patch he sent me, with a commit message added by
me.

Thanks very much to Simon.

I have taken the liberty of adding my own Signed-off-by, since I trust
Simon has no objection to us distributing this fix in secnet (hence
under the GPLv3+).

 [PATCH 1/1] SECURITY: fixed fix to buffer handling