Next message: John.Aireyat_private: "RE: [Full-Disclosure] Security Industry Under Scrutiny: Part 3"
Hey all,
RMC> Just tried it.
RMC> Got the 500 server error in the logs with a size of 30K. No noticeable CPU increase, but got the "Not enough storage is available to complete this operation." in the log.
RMC> Also tried 65535 and NO record found in logs whatsoever.
I would expect several bugs similar to this all over the NT/2k/XP
operating system ... the system-internal RtlInitAnsiString stores
the length of the string as a 16-bit value (see disassembly),
therefore sending any string > 65535 into RtlInitAnsiString will
make the reported string size & the actual string size differ.
.text:77F9194E RtlInitAnsiString proc near ; CODE XREF: .text:77F83962�p
.text:77F9194E ; .text:77F86280�p ...
.text:77F9194E
.text:77F9194E arg_0 = dword ptr 8
.text:77F9194E arg_4 = dword ptr 0Ch
.text:77F9194E
.text:77F9194E push edi
.text:77F9194F mov edi, [esp+arg_4]
.text:77F91953 mov edx, [esp+arg_0]
.text:77F91957 mov dword ptr [edx], 0
.text:77F9195D mov [edx+4], edi
.text:77F91960 or edi, edi
.text:77F91962 jz short loc_77F91975
.text:77F91964 or ecx, 0FFFFFFFFh
.text:77F91967 xor eax, eax
.text:77F91969 repne scasb
.text:77F9196B not ecx
.text:77F9196D mov [edx+2], cx <--- Here
.text:77F91971 dec ecx
.text:77F91972 mov [edx], cx <--- Here
.text:77F91975
.text:77F91975 loc_77F91975: ; CODE XREF: RtlInitAnsiString+14�j
.text:77F91975 pop edi
.text:77F91976 retn 8
Cheers,
dullienat_private
This archive was generated by hypermail 2b30
: Thu Dec 05 2002 - 23:40:44 PST