1995-09-23 - Re: netscape bug

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: tomw@cthulhu.engr.sgi.com
Message Hash: 6e840034994e642bb0e31041e3a1d89193b862e7251e861217d85d8b50cb4dde
Message ID: <199509231831.OAA06104@frankenstein.piermont.com>
Reply To: <199509230003.RAA06024@orac.engr.sgi.com>
UTC Datetime: 1995-09-23 18:31:54 UTC
Raw Date: Sat, 23 Sep 95 11:31:54 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Sat, 23 Sep 95 11:31:54 PDT
To: tomw@cthulhu.engr.sgi.com
Subject: Re: netscape bug
In-Reply-To: <199509230003.RAA06024@orac.engr.sgi.com>
Message-ID: <199509231831.OAA06104@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain

Tom Weinstein writes:
> In article <DFALB4.A5u@sgi.sgi.com>, "Perry E. Metzger" <perry@piermont.com> 
> > I can tell you in general terms -- I don't write MIPS assembler
> > myself. However, I will point out to you that you use an ancient
> > Sendmail, and that it uses syslog(3) on user produced data, and that
> > syslog uses a static buffer. Trick sendmail into logging something
> > very big, and you can do what you like. The 8lgm people wrote a demo
> > for Sparc as a proof of concept.
> Hmm, after having looked at the syslogd code, it looks like this
> particular bug has been fixed for at least several years.

I said syslog(3), not syslogd(8).

The bug is in the client, not the server. Yes, you suffer from it. Go
and check.

> However, there sure are a hell of a lot of fixed size buffers being
> alocated off the stack and some of them are being used in unsafe
> ways.