From owner-freebsd-security Thu Jul 19 10:12:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 268F537B401; Thu, 19 Jul 2001 10:12:26 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JHCPD75088; Thu, 19 Jul 2001 10:12:25 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 10:12:25 -0700 (PDT) From: Matt Dillon Message-Id: <200107191712.f6JHCPD75088@earth.backplane.com> To: Assar Westerlund Cc: "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com> <5llmlk26j4.fsf@assaris.sics.se> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :output_data adds the result from vsnprintf() to nfrontp. If there's :not enough room for the formatted string in `remaining', vsnprintf() :returns the size that would be required. Bad me, no cookie. : :/assar Ach! Of course! I totally missed that even though I read the code half a dozen times. It's even owrse... size_t is unsigned, so once you overflow the buffer the 'remaining' amount will be some huge number and you are screwed. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message