[7402] in bugtraq
Re: Fwd: Any user can panic OpenBSD machine
daemon@ATHENA.MIT.EDU (Dag-Erling Coidan =?iso-8859-1?Q?S)
Mon Jul 27 21:19:30 1998
Date: Mon, 27 Jul 1998 23:08:40 +0200
Reply-To: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= <dag-erli@IFI.UIO.NO>
From: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= <dag-erli@IFI.UIO.NO>
X-To: "Todd C. Miller" <Todd.Miller@courtesan.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: "Todd C. Miller"'s message of "Mon, 27 Jul 1998 14:59:55 -0600"
"Todd C. Miller" <Todd.Miller@courtesan.com> writes:
> In message <xzphg0357ze.fsf@hrotti.ifi.uio.no>
> so spake (dag-erli):
>
> > /sys/kern/sys_generic.c:
> > if (uap->iovcnt > UIO_MAXIOV)
> > return (EINVAL);
>
> We are talking about uio_resid not uio_iovcnt.
*thwap* my mistake. The relevant piece of code is:
/sys/kern/sys_generic.c:
auio.uio_resid =3D 0;
for (i =3D 0; i < uap->iovcnt; i++) {
auio.uio_resid +=3D iov->iov_len;
if (auio.uio_resid < 0) {
error =3D EINVAL;
goto done;
}
iov++;
}
and since, as someone pointed out, iov->iov_len is a size_t, it
doesn't make sense to check for negative values of auio.uio_resid. The
problem arises from auio.uio_resid being an int rather than a size_t.
DES (open mouth, insert foot, echo internationally)
--
Dag-Erling Sm=F8rgrav - dag-erli@ifi.uio.no
