From owner-freebsd-security  Tue Mar 13  9:15:20 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP id 815D837B719
	for <security@freebsd.org>; Tue, 13 Mar 2001 09:15:17 -0800 (PST)
	(envelope-from iedowse@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa18169@salmon>; 13 Mar 2001 17:15:16 +0000 (GMT)
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: security@freebsd.org, iedowse@maths.tcd.ie
Subject: Re: rwhod 
In-Reply-To: Your message of "Tue, 13 Mar 2001 11:44:24 EST."
             <200103131644.LAA73764@khavrinen.lcs.mit.edu> 
Date: Tue, 13 Mar 2001 17:15:16 +0000
From: Ian Dowse <iedowse@maths.tcd.ie>
Message-ID:  <200103131715.aa18169@salmon.maths.tcd.ie>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <200103131644.LAA73764@khavrinen.lcs.mit.edu>, Garrett Wollman write
>
>If, on the other hand, this bug is actually exploitable, that would be
>much more serious (and would warrant a reissue of the advisory).

I am pretty certain that there is nothing exploitable about this
bug. The code ends up doing something like:

	int *p = &local_variable;

	for (;;) {
		p[4] = ntohl(p[4]);
		p[5] = ntohl(p[5]);
		p += 6;
	}

The variable `p' is a register variable in the dissassembly I looked
at. So this simply scans forward through the stack byte-swapping
ints, until it reaches inaccessible memory and dies.

Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message