[Bug 206551] Heap overflow in iconv kernel module

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jan 24 22:57:00 UTC 2016


Jilles Tjoelker <jilles at FreeBSD.org> changed:

           What    |Removed                     |Added
                 CC|                            |jilles at FreeBSD.org

--- Comment #4 from Jilles Tjoelker <jilles at FreeBSD.org> ---
The explanation why there is no triggerable problem is that the
ICONV_CSMAXDATALEN expression is of type size_t, an unsigned type. Then,
comparing an int and a size_t, the int is converted to size_t, converting
negative values to very large positive values.

This is fragile (changing ICONV_CSMAXDATALEN to a plain number like 266240 will
make it vulnerable) and causes compiler warnings with -Wsign-compare, but is
not an immediate bug.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list