At 12:38 AM 1/12/2003 +0100, Sascha Schumann wrote:
I might be misunderstanding the problem and I didn't have time to read the phrack article, but doesn't this mean that leaving it unsigned is better? It wouldn't pass the length check and thus, memcpy() wouldn't convert a negative number to something huge.On Sun, 12 Jan 2003, Moriyoshi Koizumi wrote:> On Sun, Jan 12, 2003 at 12:12:39AM +0100, Sascha Schumann wrote: > > As many past security advisories have shown, signedness > > issues are the frequent cause for severe vulnerabilities in > > software (recent examples include MySQL, OpenBSD kernel). > > Actually codes like below produce vulnerble runtimes because > the length of string is expected to be a positive integer value... Yes, unfortunately. Basically the same problem as in the OpenBSD kernel and its select syscall: http://www.phrack.org/phrack/60/p60-0x06.txt Quote: Whilst there is a check [1] on the 'nd' argument (nd represents the highest numbered descriptor plus one, in any of the fd_sets), which is checked against the p->p_fd->fd_nfiles (the number of open descriptors that the process is holding), this check is inadequate -- 'nd' is declared as signed [6], so it can be negative, and therefore will pass the greater-than check [1]. Then 'nd' is put through a macro [2], in order to calculate an unsigned integer, 'ni', which will eventually be used as the the length argument for the copyin operation.
Andi
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
