On Fri, 7 Sep 2001, Kris Kennaway wrote:
:
:I don't know about this one.. we may be. Someone will have to look
:into it.

In terms of -015 vuln from netbsd:

1) semop: -STABLE (44-RC from 8/28/01) seems to be vulnerable. If we
look at sys/kern/sysv_sem.c, we can see that we do:

int
semop(p, uap)
        struct proc *p;
        register struct semop_args *uap;
{
        int semid = uap->semid;
        int nsops = uap->nsops;

nsops, defined from the man page and sysproto.h semop_args structure,
is _unsigned_. So, I'd say we are vulnerable to #1. Solution: make the
local nsops variable unsigned (size_t might be better?)

2) still need to look into, will follow-up if no one else has when i loo
into it

3) same as 2

hpe this helps.

*-------------.................................................
| Andrew R. Reiter
| arrfledge.watson.org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]