Date: Tue, 30 Nov 1999 16:22:48 -0700 From: Warner Losh <imp@village.org> To: tstromberg@rtci.com Cc: freebsd-audit@FreeBSD.ORG Subject: Re: Where to start? Heres a few overflows. Message-ID: <199911302322.QAA05983@harmony.village.org> In-Reply-To: Your message of "Tue, 30 Nov 1999 18:14:50 EST." <38445A6A.50245AF5@rtci.com> References: <38445A6A.50245AF5@rtci.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <38445A6A.50245AF5@rtci.com> Thomas Stromberg writes: : *dump overflow when giving it a partition to dump : ex: dump -0 [A*1024] (msg?) : *rdump overflow when giving it a partition to dump : ex: rdump -0 [A*1024] These are fixed in -current. I've not backported to stable, but should. : !doscmd overflow in any argument. : ex: doscmd [A*4000] Tip of the iceburg. That's why it isn't set*id anymore. : ?banner arg overflow. discussed in -CURRENT. : ex: banner [A*8192] I have a patch in my tree for this. Just need to send commentary on it out. : ?systat possible race condition in systat -n (and other gui : modes). Happens when program is terminated sometimes. : (could be libcurses?). Test script sent to security-officer. : : Trace as follows: : : #0 0x280714c5 in wmove () from /usr/lib/libcurses.so.2 : #1 0x804b916 in free () : #2 0xbfbfdfdc in ?? () : #3 0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2 : #4 0x2807130b in setterm () from /usr/lib/libcurses.so.2 : #5 0x28071159 in setterm () from /usr/lib/libcurses.so.2 : #6 0x28070759 in initscr () from /usr/lib/libcurses.so.2 : #7 0x804b529 in free () : #8 0x80499fd in free () If these are really to be believed, and you are recursively entering free, then I can't help you with this at all. malloc isn't reentrant. However, the traceback looks funny now that I take a closer look at it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911302322.QAA05983>