From owner-freebsd-hackers@FreeBSD.ORG  Tue Jun 24 15:28:17 2014
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3758FAF0
 for <freebsd-hackers@freebsd.org>; Tue, 24 Jun 2014 15:28:17 +0000 (UTC)
Received: from tensor.andric.com (tensor.andric.com [87.251.56.140])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "tensor.andric.com", Issuer "CAcert Class 3 Root" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id E6065266F
 for <freebsd-hackers@freebsd.org>; Tue, 24 Jun 2014 15:28:16 +0000 (UTC)
Received: from [192.168.2.2] (unknown [77.243.161.229])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by tensor.andric.com (Postfix) with ESMTPSA id 14CBE5C44;
 Tue, 24 Jun 2014 17:28:05 +0200 (CEST)
Content-Type: multipart/signed;
 boundary="Apple-Mail=_0F02A87B-0942-4DF8-B267-0E5BFE3DE192";
 protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
Subject: Re: OB1
From: Dimitry Andric <dim@FreeBSD.org>
In-Reply-To: <CA+E3k90ppWcvudxB4evGUfmQEYnRoodsEg54hwTZTyoRTRTdJQ@mail.gmail.com>
Date: Tue, 24 Jun 2014 17:27:46 +0200
Message-Id: <0788DB21-6F15-46D4-A4CB-F95008D736E9@FreeBSD.org>
References: <20140622135308.GF1824@pwnie.vrt.sourcefire.com>
 <53A8FBD7.8000900@gmx.com> <12DA5575-B773-4D28-83BB-5AD1F1C84469@FreeBSD.org>
 <CA+E3k90ppWcvudxB4evGUfmQEYnRoodsEg54hwTZTyoRTRTdJQ@mail.gmail.com>
To: Royce Williams <royce@tycho.org>
X-Mailer: Apple Mail (2.1878.2)
Cc: dt71@gmx.com, FreeBSD Hackers <freebsd-hackers@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jun 2014 15:28:17 -0000


--Apple-Mail=_0F02A87B-0942-4DF8-B267-0E5BFE3DE192
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=us-ascii

On 24 Jun 2014, at 16:28, Royce Williams <royce@tycho.org> wrote:
> On Mon, Jun 23, 2014 at 10:49 PM, Dimitry Andric <dim@freebsd.org> wrote:
>> On 24 Jun 2014, at 06:17, dt71@gmx.com wrote:
>>> Speaking of backdoors...
>>> 
>>> lib/libugidfw/ugidfw.c:
>>>> if (len < 0 || len > left)
>>> 
>>> ):<
>> 
>> Well, it's just another off-by-one, no need for conspiracy theories. :)
>> 
>> Btw, I'd mailed about this in 2011 already, but it really isn't very
>> important.  The only consumer is ugidfw, and then only to print out the
>> parsed rules.
> 
> I'm a relative C newbie.  Could someone post what the fix would look like?

Just replace all the "len > left" expressions with "len >= left".

-Dimitry


--Apple-Mail=_0F02A87B-0942-4DF8-B267-0E5BFE3DE192
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iEYEARECAAYFAlOpmP4ACgkQsF6jCi4glqNMawCg7rUHBN/aotod/KnxMYHyVyOz
WDMAoOPIgLpBcZFvPys8BgHHrYFqpCk2
=fCBd
-----END PGP SIGNATURE-----

--Apple-Mail=_0F02A87B-0942-4DF8-B267-0E5BFE3DE192--