Date: Thu, 19 Jul 2001 10:12:25 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Assar Westerlund <assar@FreeBSD.ORG> Cc: "Jacques A. Vidrine" <n@nectar.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <200107191712.f6JHCPD75088@earth.backplane.com> References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com> <5llmlk26j4.fsf@assaris.sics.se>
next in thread | previous in thread | raw e-mail | index | archive | help
:output_data adds the result from vsnprintf() to nfrontp. If there's
:not enough room for the formatted string in `remaining', vsnprintf()
:returns the size that would be required. Bad me, no cookie.
:
:/assar
Ach! Of course! I totally missed that even though I read the code
half a dozen times.
It's even owrse... size_t is unsigned, so once you overflow the buffer
the 'remaining' amount will be some huge number and you are screwed.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107191712.f6JHCPD75088>