[5447] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Possible SERIOUS bug in open()?

daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Oct 24 20:52:35 1997

Date: 	Fri, 24 Oct 1997 18:10:32 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To:         Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "Thu, 23 Oct 1997 10:05:27 CDT." 
              <Pine.SUN.3.94.971023100458.7159E-100000@dfw.dfw.net>

> This is far from the only
> place that I've seen problems with unexpected interactions owing to
> surprise negative arguments. Anyone want to take a guess as to what
> strncpy() does when it gets a negative "count" argument? Think that can't
> happen? Think pointer arithmetic.

Yes, but I did a 4 hour or so search in the source tree and didn't
find a single case of such a "strncpy() turning into strcpy()".

It could.  But I've not found one.  Incorrectly bounded strncat()
calls are far more common, but even then, I can't think of one of
those that we found to be exploitable.

home help back first fref pref prev next nref lref last post