Re: Fwd: Any user can panic OpenBSD machine

From: Dag-Erling Coidan Smørgrav (dag-erliat_private)
Date: Mon Jul 27 1998 - 14:08:40 PDT

Next message: Eric Hunter: "Re: Microsoft Security Bulletin (MS98-008)"

Previous message: Perry E. Metzger: "Re: Fwd: Any user can panic OpenBSD machine"
Maybe in reply to: Michael Fuhr: "Fwd: Any user can panic OpenBSD machine"
Next in thread: Angelos D. Keromytis: "Re: Fwd: Any user can panic OpenBSD machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Todd C. Miller" <Todd.Millerat_private> writes:
> In message <xzphg0357ze.fsfat_private>
>       so spake  (dag-erli):
>
> > /sys/kern/sys_generic.c:
> >                 if (uap->iovcnt > UIO_MAXIOV)
> >                         return (EINVAL);
>
> We are talking about uio_resid not uio_iovcnt.

*thwap* my mistake. The relevant piece of code is:

/sys/kern/sys_generic.c:
        auio.uio_resid = 0;
        for (i = 0; i < uap->iovcnt; i++) {
                auio.uio_resid += iov->iov_len;
                if (auio.uio_resid < 0) {
                        error = EINVAL;
                        goto done;
                }
                iov++;
        }

and since, as someone pointed out, iov->iov_len is a size_t, it
doesn't make sense to check for negative values of auio.uio_resid. The
problem arises from auio.uio_resid being an int rather than a size_t.

DES (open mouth, insert foot, echo internationally)
--
Dag-Erling Smørgrav - dag-erliat_private

Next message: Eric Hunter: "Re: Microsoft Security Bulletin (MS98-008)"
Previous message: Perry E. Metzger: "Re: Fwd: Any user can panic OpenBSD machine"
Maybe in reply to: Michael Fuhr: "Fwd: Any user can panic OpenBSD machine"
Next in thread: Angelos D. Keromytis: "Re: Fwd: Any user can panic OpenBSD machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:36 PDT