In article <3D21B6C2.B8D35ECB@TooLs.DE>, Wolfgang Solfrank <ws@tools.de> wrote:
>Hi,
>
>> The code executes /bin/sh and this is a method used in Apache
>> exploit.  It doesn't mean memcpy() is vulnerable.  However, we
>> can protect from this kind of exploit by adding checks to
>> memcpy/memmove/bcopy like the following.  May I commit it?
>
>I strongly object this!
>
>While I haven't looked closely at what the program does,
>_anything_ that it does can just as easily be done without
>the help of memcpy.  So the "fix" doesn't cover any exploit.
>
>In addition to that, it isn't the business of random libc functions
>to write messages anywhere.  E.g., what about programs having closed
>stderr and opening something else, resulting in fd2 to point to some
>carefully constructed data stream that gets disturbed by your error
>message?  Library functions should only write to files if they are
>documented to do so.

And we should strive to eliminate functions in libc that write errors
and warnings to stderr...

christos