On Sun, 12 Jan 2003, Moriyoshi Koizumi wrote: > On Sun, Jan 12, 2003 at 12:12:39AM +0100, Sascha Schumann wrote: > > As many past security advisories have shown, signedness > > issues are the frequent cause for severe vulnerabilities in > > software (recent examples include MySQL, OpenBSD kernel). > > Actually codes like below produce vulnerble runtimes because > the length of string is expected to be a positive integer value...
Yes, unfortunately. Basically the same problem as in the OpenBSD kernel and its select syscall: http://www.phrack.org/phrack/60/p60-0x06.txt Quote: Whilst there is a check [1] on the 'nd' argument (nd represents the highest numbered descriptor plus one, in any of the fd_sets), which is checked against the p->p_fd->fd_nfiles (the number of open descriptors that the process is holding), this check is inadequate -- 'nd' is declared as signed [6], so it can be negative, and therefore will pass the greater-than check [1]. Then 'nd' is put through a macro [2], in order to calculate an unsigned integer, 'ni', which will eventually be used as the the length argument for the copyin operation. - Sascha -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php