Bugtraq mailing list archives
Re: Possible SERIOUS bug in open()?
From: mem () MV MV COM (Mark E. Mallett)
Date: Fri, 24 Oct 1997 23:09:34 -0400
In muc.lists.freebsd.security, you wrote:fd = open("/dev/rsd0a", -1, 0);
In fact it looks like any mode value with the bottom 2 bits on will work. e.g. -1, 3, 7, etc.
+ if(!flags) + flags++; +
This will only cover the -1 case. Perhaps also changing:
flags = FFLAGS(uap->flags);
to
flags = FFLAGS(uap->flags) & 3;
and then the zero test as above? -mm-
Current thread:
- Re: Possible SERIOUS bug in open()? Aleph One (Oct 23)
- a bug in IRIX open() as well [was Re: Possible SERIOUS bug in Mike Kienenberger (Oct 24)
- Vulnerability in metamail Alan Cox (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 24)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 25)
- SECURITY: metamail update (fwd) Raymond Dijkxhoorn (Oct 25)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)