From owner-freebsd-security  Thu Jun 27  8:50:48 2002
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id 15E2B37B400
	for <security@FreeBSD.ORG>; Thu, 27 Jun 2002 08:50:21 -0700 (PDT)
Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5RFntDK031653;
	Thu, 27 Jun 2002 11:49:55 -0400 (EDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5RFnsWb031650;
	Thu, 27 Jun 2002 11:49:54 -0400 (EDT)
	(envelope-from wollman)
Date: Thu, 27 Jun 2002 11:49:54 -0400 (EDT)
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <200206271549.g5RFnsWb031650@khavrinen.lcs.mit.edu>
To: Marc Slemko <marcs@znep.com>
Cc: security@FreeBSD.ORG
Subject: Re: FreeBSD vuln...
In-Reply-To: <Pine.BSF.4.20.0206261813330.38173-100000@alive.znep.com>
References: <Pine.BSF.4.21.0206261516150.64758-100000@InterJet.elischer.org>
	<Pine.BSF.4.20.0206261813330.38173-100000@alive.znep.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

<<On Wed, 26 Jun 2002 18:25:28 -0700 (PDT), Marc Slemko <marcs@znep.com> said:

> No question, the real bug is in Apache for passing in a negative 
> length, however the particular exploit only works due to some very
> interesting details of how memcpy() is doing things that could arguably
> be called wrong.

The length parameter to memcpy is unsigned.  There is no such thing as
`passing a negative length to memcpy'.  One can, of course, pass an
extremely large positive length to memcpy, generated by converting a
negative signed integer to an unsigned integer on a two's-complement
machine.

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message