The Parser of NDNTLV accepts Length field of the Name without any checks.
Therefore, it is possible, that the value of the length flied of a component of a prefix and the actual size of the component differ.
in ccnl-pkt/ccnl-pkt-ndntlv.c:

161     while (len2 > 0) {
162           if (ccnl_ndntlv_dehead(&cp, &len2, (int*) &typ, &i)) {
...
172                   p->comp[p->compcnt] = cp;
173                   p->complen[p->compcnt] = i; 
...
175           }
176           cp += i;
177           len2 -= i;

This issue can lead to a out of bound memory access, when executing ccnl_ndntlv_dehead again.

Additionally, on many places CCN-lite assumes, that the length of the prefix is always correct.
By not having the length matching the actual component length, buffer overflows or out of bound memory accesses can occur on many places, e.g.:

• ccnl_prefix_dup: buffer overflow, memcpy(p->bytes + len, prefix->comp[i], p->complen[i]); copies to many bytes if p->complen[i]) > len(prefix->comp[i]), which can lead to a buffer overflow of p->bytes.
• ccnl_prefix_cmp: out of bound memory access, if (clen != nam->complen[i] || memcmp(comp, nam->comp[i], nam->complen[i])).
• ccnl_prefix_debug_info: out of bound memory access, len += snprintf(buf + len, CCNL_MAX_PACKET_SIZE - len, "%.*s", p->complen[i], p->comp[i]);.