On Wed, 24 Oct 2001, Lucian Hudin wrote: > I don't know about any teso exploit, but what I want to mention is > that I rememeber studying this problem myself and I've found that the > crc32 bug doesn't manifest under operating systems that return NULL on > realloc(ptr, 0); So if the exploit is based on the fact that > realloc(ptr, 0) will NOT return NULL, Linux & W2k (systems I have > access on) were never actually vulnerable. Very interesting conclusion - but certainly wrong. Actually, modern systems usually allow you to allocate zero-sized "placeholders", and Linux, *BSD and (IIRC) Solaris follow this rule. Two proof-of-concepts exploits were already published on BUGTRAQ, numerous others - developed for not so broad audience. > The Linux realloc manual says : > "realloc() returns a pointer to the newly allocated memory, which is > suitably aligned for any kind of variable and may be different > from ptr, or NULL if the request fails or if size was equal to 0. The manual page is wrong. This is not the behavior of recent glibc releases. -- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
