From owner-freebsd-security  Sun Aug 11 21:54: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 21B4937B401
	for <security@freebsd.org>; Sun, 11 Aug 2002 21:54:01 -0700 (PDT)
Received: from citi.umich.edu (citi.umich.edu [141.211.92.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1DDB243E42
	for <security@freebsd.org>; Sun, 11 Aug 2002 21:54:00 -0700 (PDT)
	(envelope-from provos@citi.umich.edu)
Received: by citi.umich.edu (Postfix, from userid 104123)
	id 539AE207CA; Sun, 11 Aug 2002 18:31:45 -0400 (EDT)
Date: Sun, 11 Aug 2002 18:31:45 -0400
From: Niels Provos <provos@citi.umich.edu>
To: Kris Kennaway <kris@obsecurity.org>
Cc: security@freebsd.org
Subject: Re: [provos@citi.umich.edu: OpenBSD Security Advisory: Select Boundary Condition]
Message-ID: <20020811223145.GQ22399@citi.citi.umich.edu>
References: <20020811214723.GA76470@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020811214723.GA76470@xor.obsecurity.org>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, Aug 11, 2002 at 02:47:23PM -0700, Kris Kennaway wrote:
> In case anyone is wondering, it looks like FreeBSD fixed this security
> hole 6 years ago, in the following commit:
> 
> ---
> Revision 1.19 / (download) - annotate - [select for diffs], Tue Aug 20 07:17:48 1996 UTC (5 years, 11 months ago) by smpatel 
> Branch: MAIN 
> Changes since 1.18: +43 -15 lines
> Diff to previous 1.18 (colored) 
> 
> Remove the kernel FD_SETSIZE limit for select().
> Make select()'s first argument 'int' not 'u_int'.
> 
> Reviewed by:	bde
> ---
Read that commit message carefully.  That problem was introduced into
FreeBSD six years ago.  It was fixed last year.

revision 1.74
date: 2001/02/27 00:50:20;  author: jlemon;  state: Exp;  lines: +3 -2
Cast nfds to u_int before range checking it in order to catch negative
values.

PR:     25393

NetBSD fixed it somewhat later.

I did not contact anyone at FreeBSD or NetBSD because it was not a
problem there in case you were wondering.

Niels.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message