Bugtraq mailing list archives
Re: Fwd: Any user can panic OpenBSD machine
From: dag-erli () IFI UIO NO (Dag-Erling Coidan Smørgrav)
Date: Mon, 27 Jul 1998 22:55:49 +0200
"Todd C. Miller" <Todd.Miller () COURTESAN COM> writes:
In message <v6pver2kl7.fsf () kechara lh vix com> so spake Michael Graff (explorer):I tested a NetBSD/i386-1.3.2 machine just now, which also returned EINVAL.That's not correct behavior either. iov_len is unsigned so making it -1 (which is the unsigned value 4294967295) should not be an error.
Not at all: /sys/kern/sys_generic.c: if (uap->iovcnt > UIO_MAXIOV) return (EINVAL); /sys/sys/uio.h: #define UIO_MAXIOV 1024 /* max 1K of iov's */ -1 is rejected with EINVAL because 4294967295 > 1024. BTW, FreeBSD is immune, too. As a matter of fact, the original BSD version (SCCS ID "@(#)sys_generic.c 8.5 (Berkeley) 1/21/94") has the check, so the OpenBSD folks must have f*d it up somewhere along the way. DES (aka des () freebsd org) -- Dag-Erling Smørgrav - dag-erli () ifi uio no
Current thread:
- HP-UX Predictive & Netscape SSL Vulnerabilities, (continued)
- HP-UX Predictive & Netscape SSL Vulnerabilities Aleph One (Jul 29)
- Long attachment filename exploits: a procmail filter John D. Hardin (Jul 29)
- Crash a redhat 5.1 linux box Zachary Amsden (Jul 29)
- FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box) Joe Zbiciak (Jul 29)
- Re: FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux Roger Espel Llima (Jul 30)
- Re: FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux Alan Cox (Jul 30)
- Re: FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux Pavel Kankovsky (Jul 30)
- Re: netscape mail overflow(another one) Paul Boehm (Jul 29)
- who Paul Boehm (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Chris Wedgwood (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Todd C. Miller (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Todd C. Miller (Jul 28)