connection: Prevent pointer overflow from large lengths.
If the remote side sends sufficiently large `length` field, it will
overflow the `p` pointer. Technically it is undefined behavior, in
practice it makes `p < end`, so the length check passes. Attempts to
access the data later causes crashes.
This issue manifests only on 32bit systems, but the behavior is
Reviewed-by: Pekka Paalanen <email@example.com>
Reviewed-by: Derek Foreman <firstname.lastname@example.org>
1 file changed