Justin Pryzby wrote: > Bug#278191: CAN-2005-0079: authentication bypass via integer overflow > ^^^^^^^^^^^^^^^^ > > Its not an integer overflow, btw, though its not really a buffer > overflow either; its an set-an-arbitrary-byte-of-memory-to-zero bug.
Are you sure? My investigation showed that rlen goes from 0..49 and rbuf[rlen] is accessed then rlen grows until 2147483647 while rbuf[rlen] is not accessed due to rlen > sizeof(rbuf) But then, since 2147483647 is INT_MAX, rlen will become -2147483648 and with the next character the condition rlen < sizeof(rbuf) is true again, causing rbuf[rlen] = cbuf[0] to be executed, unfortunately rlen is now -2147483648 causing the program to crash rlen goes from valid to invalid positive to invalid negative --> integer overflow Regards, Joey -- MIME - broken solution for a broken design. -- Ralf Baechle Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]