Date: Sat, 8 Sep 2001 12:17:02 -0500 From: Alfred Perlstein <bright@mu.org> To: Bruce Evans <bde@zeta.org.au> Cc: "Andrew R. Reiter" <arr@watson.org>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities Message-ID: <20010908121702.H2965@elvis.mu.org> In-Reply-To: <20010909030758.B48694-100000@alphplex.bde.org>; from bde@zeta.org.au on Sun, Sep 09, 2001 at 03:14:37AM %2B1000 References: <20010908054930.F2965@elvis.mu.org> <20010909030758.B48694-100000@alphplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Bruce Evans <bde@zeta.org.au> [010908 12:15] wrote: > On Sat, 8 Sep 2001, Alfred Perlstein wrote: > > > * Andrew R. Reiter <arr@watson.org> [010908 05:44] wrote: > > > Hey, > > > > > > The attached code fixes the semop bug which is specified in the recent > > > NetBSD security announcement. I'm not positive about hte naming scheme > > > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > > > instead of size_t's :-) Great logic. > > > > Uh, why don't you just compare the int arg against 0, if it's less than > > then just return EINVAL. > > The API apparently specified that it is unsigned (I checked the Linux > version). And don't use the hack of type punning the unsigned to int > (this part already happens) and checking for the int being less than 0 > (this check is missing). We already use the hack of type punning an > int to an unsigned in too many places (readv, writev, ...). Wait, don't check against < 0? Ok, then how do we fix it? -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908121702.H2965>