
Heap overflow in the necp_client_action syscall - ingve
https://blog.grimm-co.com/post/heap-overflow-in-the-necp_client_action-syscall/
======
userbinator
This observation comes from this piece of code:

    
    
        u_int8_t necp_tcp_tfo_cookie[NECP_TFO_COOKIE_LEN_MAX];
        u_int8_t necp_tcp_tfo_cookie_len;
    

If the buffer was 256 bytes instead of 16, it would not be overflowable since
its length is only specified in 8 bits. Alternatively, make this "cookie"
always a fixed-length of 16 bytes (why would it need to be variable length?
From reading through the article I get the impression that this is just an
identifier.)

------
exikyut
Context: This is a macOS kernel exploit.

