At 06:17 PM 7/19/98 -0700, Jordan K. Hubbard wrote:
>If you can make it all work and want to hack up a proof of concept, go
>for it. Right now, however, I think you're letting annoyance get the
>better part of intelligence.
I make no bones about the fact that I'm annoyed; that buffer overflow
exploit will cost me between a week and a month of tedious work. The
fact that the problem has been fixed in Linux and Solaris is a good
proof of concept.
Again, the problem is simply one of where to put a "thunk." In general,
putting it on the CPU stack is a bad idea, and the problem is starting
to bite all of us. It'll only get worse, especially so long as we use C;
the language is so prone to array overruns and buffer overflow exploits.
>More importantly, making suggestions which are almost worded like
>demands when it is very clear that you do _not_ understand the subject
>in question is only a good way of antagonizing people.
As a seasoned assembly language programmer, I understand the subjects
of memory allocation and "thunking" quite well. I don't think anyone
should feel antagonized when I emphasize the importance of fixing this
problem -- especially after the extensive personal cost it has had, and
will have, for me.
--Brett Glass
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message