int sockfd;
int nhrp_req_id;
/* GRE header */
struct gre_h {
unsigned short flags; /* GRE flags */
unsigned short ptype; /* GRE protocol type */
unsigned int key; /* GRE key */
};
/* NHRP header */
researcher to uncover this bug. Without my cat's assistance as an enterprise
class keyboard-based integer fuzzer this vulnerability would have been left
unearthed.
Apple is going to learn several lessons here, the most important of which is
probably not to let an unsigned short pose as anything other than an unsigned
short. Open up a Safari browser on your favorite chode-sniffing operating
system. Go to a "banned" port like 25 and you'll get an error:
___Not allowed to use restricted network port___ (WebKitErrorDomain:103)
never closes the connection to the mail server, which is not nice to the
mailserver. Outlook can only be stopped by killing the process from the
task manager.
To be more exact, the bug seems to reside in InetComm.dll in the
MimeOleClearDirtyTree function. I would guess at a short-integer overflow,
which results in the infinite loop.
Microsoft was informed on 29.07.08 and declined to comment on this issue.
== Effects on Virusscanners ==
The fts_open() function returns a "handle" on a file hierarchy, which is then supplied to the other fts functions.
The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy.
The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy.
typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure */
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
brlc> never closes the connection to the mail server, which is not nice to the
brlc> mailserver. Outlook can only be stopped by killing the process from the
brlc> task manager.
brlc> To be more exact, the bug seems to reside in InetComm.dll in the
brlc> MimeOleClearDirtyTree function. I would guess at a short-integer overflow,
brlc> which results in the infinite loop.
brlc> Microsoft was informed on 29.07.08 and declined to comment on this issue.
brlc> == Effects on Virusscanners ==
of 15 bytes called trash used as destination by sscanf without the
needed size limits.
From rtsp/RTSP_state_machine.c:
int RTSP_valid_response_msg(unsigned short *status, char *msg, RTSP_buffer * rtsp)
// This routine is from BP.
{
char ver[32], trash[15];
unsigned int stat;
unsigned int seq;
