Subject: Re: exploit with memcpy()
To: None <,>
From: TAMURA Kent <>
List: tech-security
Date: 07/02/2002 23:24:58
> > - The check is at the outside of the loop.
> > - It is done only if the destination address < the source address (+length)
  for arch/i386/string/bcopy.S, dest < source+length
  for string/bcopy.c, dest > source
> > - Many applications uses gcc's builtin memcpy().
> 	unluckily the 3rd bullet means that the patch won't take effect
> 	to most of the binaries, am i right?  do we want to modify gcc to
> 	generate the change you've proposed?

Right and no.  The exploit succeeds if and only if memcpy() is
compatible with memmove().  Gcc's builtin memcpy() is not.

TAMURA Kent <> <>