From owner-freebsd-bugs  Thu Mar 30  8:30: 8 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 03B8837B5E7
	for <freebsd-bugs@FreeBSD.org>; Thu, 30 Mar 2000 08:30:04 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id IAA35471;
	Thu, 30 Mar 2000 08:30:03 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Date: Thu, 30 Mar 2000 08:30:03 -0800 (PST)
Message-Id: <200003301630.IAA35471@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: "Patrick Bihan-Faou" <patrick@mindstep.com>
Subject: Re: kern/17492: There is a bug in SIOCGIFCONF ioctl code
Reply-To: "Patrick Bihan-Faou" <patrick@mindstep.com>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR kern/17492; it has been noted by GNATS.

From: "Patrick Bihan-Faou" <patrick@mindstep.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <alo@iki.fi>
Cc:  
Subject: Re: kern/17492: There is a bug in SIOCGIFCONF ioctl code
Date: Thu, 30 Mar 2000 11:27:41 -0500

 This bug is the same as described in PR kern/17311.
 
 Basically what goes wrong is that the variable "space" can be decremented
 too much resulting in a negative number.
 
 Then, when you do a compare between space and sizeof(xxx) to verify if there
 is enough room for the next interface config structure, the comparison
 succeeds because with the "signed" int (space) gets silently casted to an
 "unsigned" int, (which of course is fairly large).
 
 
 PR 17311 contains a more complete fix than just changing all sizeof(xxx) to
 (int)sizeof(xxx), which may result in incomplete structures being copied
 over.
 
 Patrick.
 
 
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message