Date: Thu, 27 Jun 2002 11:49:54 -0400 (EDT) From: Garrett Wollman <wollman@lcs.mit.edu> To: Marc Slemko <marcs@znep.com> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD vuln... Message-ID: <200206271549.g5RFnsWb031650@khavrinen.lcs.mit.edu> In-Reply-To: <Pine.BSF.4.20.0206261813330.38173-100000@alive.znep.com> References: <Pine.BSF.4.21.0206261516150.64758-100000@InterJet.elischer.org> <Pine.BSF.4.20.0206261813330.38173-100000@alive.znep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 26 Jun 2002 18:25:28 -0700 (PDT), Marc Slemko <marcs@znep.com> said: > No question, the real bug is in Apache for passing in a negative > length, however the particular exploit only works due to some very > interesting details of how memcpy() is doing things that could arguably > be called wrong. The length parameter to memcpy is unsigned. There is no such thing as `passing a negative length to memcpy'. One can, of course, pass an extremely large positive length to memcpy, generated by converting a negative signed integer to an unsigned integer on a two's-complement machine. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206271549.g5RFnsWb031650>