From owner-freebsd-security Sat Sep 8 10:15:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 86BA837B405 for ; Sat, 8 Sep 2001 10:15:43 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id DAA29974; Sun, 9 Sep 2001 03:15:26 +1000 Date: Sun, 9 Sep 2001 03:14:37 +1000 (EST) From: Bruce Evans X-X-Sender: To: Alfred Perlstein Cc: "Andrew R. Reiter" , Kris Kennaway , Subject: Re: netbsd vulnerabilities In-Reply-To: <20010908054930.F2965@elvis.mu.org> Message-ID: <20010909030758.B48694-100000@alphplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, Alfred Perlstein wrote: > * Andrew R. Reiter [010908 05:44] wrote: > > Hey, > > > > The attached code fixes the semop bug which is specified in the recent > > NetBSD security announcement. I'm not positive about hte naming scheme > > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > > instead of size_t's :-) Great logic. > > Uh, why don't you just compare the int arg against 0, if it's less than > then just return EINVAL. The API apparently specified that it is unsigned (I checked the Linux version). And don't use the hack of type punning the unsigned to int (this part already happens) and checking for the int being less than 0 (this check is missing). We already use the hack of type punning an int to an unsigned in too many places (readv, writev, ...). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message