[5447] in bugtraq
Re: Possible SERIOUS bug in open()?
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Oct 24 20:52:35 1997
Date: Fri, 24 Oct 1997 18:10:32 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 23 Oct 1997 10:05:27 CDT."
<Pine.SUN.3.94.971023100458.7159E-100000@dfw.dfw.net>
> This is far from the only
> place that I've seen problems with unexpected interactions owing to
> surprise negative arguments. Anyone want to take a guess as to what
> strncpy() does when it gets a negative "count" argument? Think that can't
> happen? Think pointer arithmetic.
Yes, but I did a 4 hour or so search in the source tree and didn't
find a single case of such a "strncpy() turning into strcpy()".
It could. But I've not found one. Incorrectly bounded strncat()
calls are far more common, but even then, I can't think of one of
those that we found to be exploitable.
