From owner-freebsd-security  Sat Sep  8 10:17: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from elvis.mu.org (elvis.mu.org [216.33.66.196])
	by hub.freebsd.org (Postfix) with ESMTP id C324E37B406
	for <security@FreeBSD.ORG>; Sat,  8 Sep 2001 10:17:02 -0700 (PDT)
Received: by elvis.mu.org (Postfix, from userid 1192)
	id 8F2ED81D05; Sat,  8 Sep 2001 12:17:02 -0500 (CDT)
Date: Sat, 8 Sep 2001 12:17:02 -0500
From: Alfred Perlstein <bright@mu.org>
To: Bruce Evans <bde@zeta.org.au>
Cc: "Andrew R. Reiter" <arr@watson.org>,
	Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG
Subject: Re: netbsd vulnerabilities
Message-ID: <20010908121702.H2965@elvis.mu.org>
References: <20010908054930.F2965@elvis.mu.org> <20010909030758.B48694-100000@alphplex.bde.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010909030758.B48694-100000@alphplex.bde.org>; from bde@zeta.org.au on Sun, Sep 09, 2001 at 03:14:37AM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

* Bruce Evans <bde@zeta.org.au> [010908 12:15] wrote:
> On Sat, 8 Sep 2001, Alfred Perlstein wrote:
> 
> > * Andrew R. Reiter <arr@watson.org> [010908 05:44] wrote:
> > > Hey,
> > >
> > > The attached code fixes the semop bug which is specified in the recent
> > > NetBSD security announcement.  I'm not positive about hte naming scheme
> > > wanted by all in terms of:  size_t vs. unsigned int vs. unsigned.  I made
> > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's
> > > instead of size_t's :-)  Great logic.
> >
> > Uh, why don't you just compare the int arg against 0, if it's less than
> > then just return EINVAL.
> 
> The API apparently specified that it is unsigned (I checked the Linux
> version).  And don't use the hack of type punning the unsigned to int
> (this part already happens) and checking for the int being less than 0
> (this check is missing).  We already use the hack of type punning an
> int to an unsigned in too many places (readv, writev, ...).

Wait, don't check against < 0?  Ok, then how do we fix it?

-- 
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
start asking why software is ignoring 30 years of accumulated wisdom.'

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message