[7408] in bugtraq
Re: Fwd: Any user can panic OpenBSD machine
daemon@ATHENA.MIT.EDU (Dag-Erling Coidan =?iso-8859-1?Q?S)
Mon Jul 27 23:41:52 1998
Date: Mon, 27 Jul 1998 22:55:49 +0200
Reply-To: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= <dag-erli@IFI.UIO.NO>
From: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= <dag-erli@IFI.UIO.NO>
X-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: "Todd C. Miller"'s message of "Mon, 27 Jul 1998 13:32:19 -0600"
"Todd C. Miller" <Todd.Miller@COURTESAN.COM> writes:
> In message <v6pver2kl7.fsf@kechara.lh.vix.com>
> so spake Michael Graff (explorer):
> > I tested a NetBSD/i386-1.3.2 machine just now, which also returned
> > EINVAL.
> That's not correct behavior either. iov_len is unsigned so making it
> -1 (which is the unsigned value 4294967295) should not be an error.
Not at all:
/sys/kern/sys_generic.c:
if (uap->iovcnt > UIO_MAXIOV)
return (EINVAL);
/sys/sys/uio.h:
#define UIO_MAXIOV 1024 /* max 1K of iov's */
-1 is rejected with EINVAL because 4294967295 > 1024.
BTW, FreeBSD is immune, too. As a matter of fact, the original BSD
version (SCCS ID "@(#)sys_generic.c 8.5 (Berkeley) 1/21/94") has the
check, so the OpenBSD folks must have f*d it up somewhere along the
way.
DES (aka des@freebsd.org)
--
Dag-Erling Sm=F8rgrav - dag-erli@ifi.uio.no
