Date: Tue, 13 Mar 2001 17:15:16 +0000 From: Ian Dowse <iedowse@maths.tcd.ie> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: security@freebsd.org, iedowse@maths.tcd.ie Subject: Re: rwhod Message-ID: <200103131715.aa18169@salmon.maths.tcd.ie> In-Reply-To: Your message of "Tue, 13 Mar 2001 11:44:24 EST." <200103131644.LAA73764@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200103131644.LAA73764@khavrinen.lcs.mit.edu>, Garrett Wollman write
>
>If, on the other hand, this bug is actually exploitable, that would be
>much more serious (and would warrant a reissue of the advisory).
I am pretty certain that there is nothing exploitable about this
bug. The code ends up doing something like:
int *p = &local_variable;
for (;;) {
p[4] = ntohl(p[4]);
p[5] = ntohl(p[5]);
p += 6;
}
The variable `p' is a register variable in the dissassembly I looked
at. So this simply scans forward through the stack byte-swapping
ints, until it reaches inaccessible memory and dies.
Ian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103131715.aa18169>