Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Fwd: Any user can panic OpenBSD machine

Re: Fwd: Any user can panic OpenBSD machine

Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= (dag-erliIFI.UIO.NO)
Mon, 27 Jul 1998 22:55:49 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael Fuhr: "Re: Fwd: Any user can panic OpenBSD machine"
Previous message: Eric Hunter: "Re: Microsoft Security Bulletin (MS98-008)"
In reply to: Todd C. Miller: "Re: Fwd: Any user can panic OpenBSD machine"
Next in thread: Todd C. Miller: "Re: Fwd: Any user can panic OpenBSD machine"

"Todd C. Miller" <Todd.MillerCOURTESAN.COM> writes:
> In message <v6pver2kl7.fsfkechara.lh.vix.com>
>         so spake Michael Graff (explorer):
> > I tested a NetBSD/i386-1.3.2 machine just now, which also returned
> > EINVAL.
> That's not correct behavior either.  iov_len is unsigned so making it
> -1 (which is the unsigned value 4294967295) should not be an error.

Not at all:

/sys/kern/sys_generic.c:
                if (uap->iovcnt > UIO_MAXIOV)
                        return (EINVAL);

/sys/sys/uio.h:
#define UIO_MAXIOV      1024            /* max 1K of iov's */

-1 is rejected with EINVAL because 4294967295 > 1024.

BTW, FreeBSD is immune, too. As a matter of fact, the original BSD
version (SCCS ID "(#)sys_generic.c 8.5 (Berkeley) 1/21/94") has the
check, so the OpenBSD folks must have f*d it up somewhere along the
way.

DES (aka desfreebsd.org)
--
Dag-Erling Smørgrav - dag-erliifi.uio.no

Next message: Michael Fuhr: "Re: Fwd: Any user can panic OpenBSD machine"
Previous message: Eric Hunter: "Re: Microsoft Security Bulletin (MS98-008)"
In reply to: Todd C. Miller: "Re: Fwd: Any user can panic OpenBSD machine"
Next in thread: Todd C. Miller: "Re: Fwd: Any user can panic OpenBSD machine"