[39921] in Cypherpunks
Re: netscape bug
daemon@ATHENA.MIT.EDU (Tom Weinstein)
Fri Sep 22 20:07:03 1995
Date: Fri, 22 Sep 1995 17:03:21 -0700
From: tomw@orac.engr.sgi.com (Tom Weinstein)
To: perry@piermont.com
Cc: cypherpunks@toad.com
In-Reply-To: "Perry E. Metzger"'s message of 21 Sep 1995 22:45:04 PDT
Reply-To: tomw@cthulhu.engr.sgi.com
In article <DFALB4.A5u@sgi.sgi.com>, "Perry E. Metzger" <perry@piermont.com> writes:
> I can tell you in general terms -- I don't write MIPS assembler
> myself. However, I will point out to you that you use an ancient
> Sendmail, and that it uses syslog(3) on user produced data, and that
> syslog uses a static buffer. Trick sendmail into logging something
> very big, and you can do what you like. The 8lgm people wrote a demo
> for Sparc as a proof of concept.
Hmm, after having looked at the syslogd code, it looks like this
particular bug has been fixed for at least several years. However,
there sure are a hell of a lot of fixed size buffers being alocated off
the stack and some of them are being used in unsafe ways.
--
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything. -- Washington DC motto | tomw@engr.sgi.com
