From owner-freebsd-security Sun Feb 9 12:10:24 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA04884 for security-outgoing; Sun, 9 Feb 1997 12:10:24 -0800 (PST) Received: from alpha.risc.org (trt-on10-45.netcom.ca [207.181.83.173]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA04873 for ; Sun, 9 Feb 1997 12:10:16 -0800 (PST) Received: from localhost (taob@localhost) by alpha.risc.org (8.8.4/8.8.4) with SMTP id PAA18341; Sun, 9 Feb 1997 15:09:26 -0500 (EST) Date: Sun, 9 Feb 1997 15:09:25 -0500 (EST) From: Brian Tao To: Richard Holland cc: freebsd-security@FreeBSD.ORG Subject: Re: buffer overruns In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 9 Feb 1997, Richard Holland wrote: > > So the set locale bug is this only put differently. It allocates X > amount of bytes for the buffer, and people put to much junk into it, > causing it to step into other memory addresses. Essentially, yes. Specifically, you can overrun the allocated amount of memory so that it clobbers the return address from the function (i.e., where the next piece of code is found once your function returns) and points it to a new piece of code you just inserted with the overflow data. > If I am right here, How would you know just how far you have to go > over and what the characters need to be once you get thus far? It is obviously best not to go over by even one byte. :) -- Brian Tao (BT300, taob@risc.org) "Though this be madness, yet there is method in't"