[7405] in bugtraq
Re: Fwd: Any user can panic OpenBSD machine
daemon@ATHENA.MIT.EDU (Warner Losh)
Mon Jul 27 21:47:03 1998
Date: Mon, 27 Jul 1998 15:38:24 -0600
Reply-To: Warner Losh <imp@VILLAGE.ORG>
From: Warner Losh <imp@VILLAGE.ORG>
X-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 27 Jul 1998 13:32:19 MDT."
<199807271932.NAA05034@xerxes.courtesan.com>
In message <199807271932.NAA05034@xerxes.courtesan.com> "Todd
C. Miller" writes:
: That's not correct behavior either. iov_len is unsigned so making it
: -1 (which is the unsigned value 4294967295) should not be an error.
It should at least return EFAULT, which is documented for things that
fall outside of the processes address space.
However, on FreeBSD the man pages states:
[EINVAL] One of the iov_len values in the iov array was
negative.
[EINVAL] The sum of the iov_len values in the iov array
overflowed a 32-bit integer.
Even though the values are declared u_int, they seem to be used in the
code as signed numbers (maybe that's a problem), so return EINVAL for
a number, cast to signed, that is negative seems appropriate.
Warner
