[5449] in bugtraq
Re: Possible SERIOUS bug in open()?
daemon@ATHENA.MIT.EDU (Mark E. Mallett)
Sat Oct 25 03:23:17 1997
Date: Fri, 24 Oct 1997 23:09:34 -0400
Reply-To: "Mark E. Mallett" <mem@MV.MV.COM>
From: "Mark E. Mallett" <mem@MV.MV.COM>
X-To: aleph1@DFW.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.94.971023100458.7159E-100000@dfw.dfw.net> from "Aleph
One" at Oct 23, 97 10:05:27 am
>
> In muc.lists.freebsd.security, you wrote:
> > fd = open("/dev/rsd0a", -1, 0);
In fact it looks like any mode value with the bottom 2 bits on will
work. e.g. -1, 3, 7, etc.
> + if(!flags)
> + flags++;
> +
This will only cover the -1 case. Perhaps also changing:
> flags = FFLAGS(uap->flags);
to
> flags = FFLAGS(uap->flags) & 3;
and then the zero test as above?
-mm-
