Date: Sun, 24 Jan 2016 22:57:00 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206551] Heap overflow in iconv kernel module Message-ID: <bug-206551-8-WBcwm5xR1g@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-206551-8@https.bugs.freebsd.org/bugzilla/> References: <bug-206551-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206551 Jilles Tjoelker <jilles@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jilles@FreeBSD.org --- Comment #4 from Jilles Tjoelker <jilles@FreeBSD.org> --- The explanation why there is no triggerable problem is that the ICONV_CSMAXDATALEN expression is of type size_t, an unsigned type. Then, comparing an int and a size_t, the int is converted to size_t, converting negative values to very large positive values. This is fragile (changing ICONV_CSMAXDATALEN to a plain number like 266240 = will make it vulnerable) and causes compiler warnings with -Wsign-compare, but is not an immediate bug. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206551-8-WBcwm5xR1g>