Bugtraq mailing list archives
Re: Possible SERIOUS bug in open()?
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 24 Oct 1997 18:10:32 -0600
This is far from the only place that I've seen problems with unexpected interactions owing to surprise negative arguments. Anyone want to take a guess as to what strncpy() does when it gets a negative "count" argument? Think that can't happen? Think pointer arithmetic.
Yes, but I did a 4 hour or so search in the source tree and didn't find a single case of such a "strncpy() turning into strcpy()". It could. But I've not found one. Incorrectly bounded strncat() calls are far more common, but even then, I can't think of one of those that we found to be exploitable.
Current thread:
- Re: Possible SERIOUS bug in open()? Aleph One (Oct 23)
- a bug in IRIX open() as well [was Re: Possible SERIOUS bug in Mike Kienenberger (Oct 24)
- Vulnerability in metamail Alan Cox (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 24)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 25)
- SECURITY: metamail update (fwd) Raymond Dijkxhoorn (Oct 25)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)