Re: Possible SERIOUS bug in open()?

Theo de Raadt (deraadt@CVS.OPENBSD.ORG)
Fri, 24 Oct 1997 18:10:32 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Charles M. Hannum: "More info on SPARC CPU bug"
Previous message: Dmitry Kohmanyuk =?KOI8-R?B?5M3J1NLJyiDrz8jNwc7Ayw==?=: "Re: Cute SPARC CPU bug"
Maybe in reply to: Aleph One: "Possible SERIOUS bug in open()?"
Next in thread: Theo de Raadt: "Re: Possible SERIOUS bug in open()?"

> This is far from the only
> place that I've seen problems with unexpected interactions owing to
> surprise negative arguments. Anyone want to take a guess as to what
> strncpy() does when it gets a negative "count" argument? Think that can't
> happen? Think pointer arithmetic.

Yes, but I did a 4 hour or so search in the source tree and didn't
find a single case of such a "strncpy() turning into strcpy()".

It could. But I've not found one. Incorrectly bounded strncat()
calls are far more common, but even then, I can't think of one of
those that we found to be exploitable.

Next message: Charles M. Hannum: "More info on SPARC CPU bug"
Previous message: Dmitry Kohmanyuk =?KOI8-R?B?5M3J1NLJyiDrz8jNwc7Ayw==?=: "Re: Cute SPARC CPU bug"
Maybe in reply to: Aleph One: "Possible SERIOUS bug in open()?"
Next in thread: Theo de Raadt: "Re: Possible SERIOUS bug in open()?"