Re: Possible SERIOUS bug in open()?

Mark E. Mallett (mem@MV.MV.COM)
Fri, 24 Oct 1997 23:09:34 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Savochkin Andrey Vladimirovich: "Re: SECURITY: groff, rhs-printfilters, tetex, metamail fixes"
Previous message: Theo de Raadt: "Re: Possible SERIOUS bug in open()?"
Maybe in reply to: Aleph One: "Possible SERIOUS bug in open()?"
Next in thread: Tim Newsham: "Re: Possible SERIOUS bug in open()?"

>
> In muc.lists.freebsd.security, you wrote:
> > fd = open("/dev/rsd0a", -1, 0);

In fact it looks like any mode value with the bottom 2 bits on will
work. e.g. -1, 3, 7, etc.

> + if(!flags)
> + flags++;
> +

This will only cover the -1 case. Perhaps also changing:

> flags = FFLAGS(uap->flags);

to

> flags = FFLAGS(uap->flags) & 3;

and then the zero test as above?

-mm-

Next message: Savochkin Andrey Vladimirovich: "Re: SECURITY: groff, rhs-printfilters, tetex, metamail fixes"
Previous message: Theo de Raadt: "Re: Possible SERIOUS bug in open()?"
Maybe in reply to: Aleph One: "Possible SERIOUS bug in open()?"
Next in thread: Tim Newsham: "Re: Possible SERIOUS bug in open()?"