Bugtraq mailing list archives

Re: Fwd: Any user can panic OpenBSD machine

From: dag-erli () IFI UIO NO (Dag-Erling Coidan Smørgrav)
Date: Mon, 27 Jul 1998 23:08:40 +0200


"Todd C. Miller" <Todd.Miller () courtesan com> writes:

In message <xzphg0357ze.fsf () hrotti ifi uio no>
      so spake  (dag-erli):

/sys/kern/sys_generic.c:
                if (uap->iovcnt > UIO_MAXIOV)
                        return (EINVAL);


We are talking about uio_resid not uio_iovcnt.


*thwap* my mistake. The relevant piece of code is:

/sys/kern/sys_generic.c:
        auio.uio_resid = 0;
        for (i = 0; i < uap->iovcnt; i++) {
                auio.uio_resid += iov->iov_len;
                if (auio.uio_resid < 0) {
                        error = EINVAL;
                        goto done;
                }
                iov++;
        }

and since, as someone pointed out, iov->iov_len is a size_t, it
doesn't make sense to check for negative values of auio.uio_resid. The
problem arises from auio.uio_resid being an int rather than a size_t.

DES (open mouth, insert foot, echo internationally)
--
Dag-Erling Smørgrav - dag-erli () ifi uio no

Current thread:

Re: small bug in 5/98 distribution Sun 4070627, (continued)
- - Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
    - Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
    - Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
    - FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
    - ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
    - [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
    - Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
    - Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
    - Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Dag-Erling Coidan Smørgrav (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Alfred Huger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - CERT Vendor-Initiated Bulletin VB-98.07 - OpenVMS.LOGINOUT (fwd) Phillip R. Jaenke (Jul 28)

(Thread continues...)