Modify bcopy (and memcpy/memmove) so that the length value is not

re-read from the stack mid copy. This may help mitigate the recent Apache buffer overrun and future overruns of the sort. Reviewed by: jdp MFC after: 2 days
author: silby <silby@FreeBSD.org> 2002-06-27 03:55:36 +0000
committer: silby <silby@FreeBSD.org> 2002-06-27 03:55:36 +0000
commit: 100d07d8c12e585da2afae57444fbf7cb26fa2fc (patch)
tree: c222e3d016e1af1014e25f8021bf168299381563 /lib/libc/i386/string
parent: 4a461e9ee15f4073dfc50e849319dcb53fbbd66b (diff)
download: FreeBSD-src-100d07d8c12e585da2afae57444fbf7cb26fa2fc.zip
FreeBSD-src-100d07d8c12e585da2afae57444fbf7cb26fa2fc.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/libc/i386/string/bcopy.S b/lib/libc/i386/string/bcopy.S
index aaa701b..0046e57 100644
--- a/lib/libc/i386/string/bcopy.S
+++ b/lib/libc/i386/string/bcopy.S
@@ -69,10 +69,11 @@ ENTRY(bcopy)
 	cmpl	%ecx,%eax	/* overlapping? */
 	jb	1f
 	cld			/* nope, copy forwards. */
+	movl	%ecx, %eax
 	shrl	$2,%ecx		/* copy by words */
 	rep
 	movsl
-	movl	20(%esp),%ecx
+	movl	%eax, %ecx
 	andl	$3,%ecx		/* any bytes left? */
 	rep
 	movsb
@@ -86,12 +87,13 @@ ENTRY(bcopy)
 	addl	%ecx,%edi	/* copy backwards. */
 	addl	%ecx,%esi
 	std
+	movl	%ecx, %eax
 	andl	$3,%ecx		/* any fractional bytes? */
 	decl	%edi
 	decl	%esi
 	rep
 	movsb
-	movl	20(%esp),%ecx	/* copy remainder by words */
+	movl	%eax, %ecx	/* copy remainder by words */
 	shrl	$2,%ecx
 	subl	$3,%esi
 	subl	$3,%edi
author	silby <silby@FreeBSD.org>	2002-06-27 03:55:36 +0000
committer	silby <silby@FreeBSD.org>	2002-06-27 03:55:36 +0000
commit	100d07d8c12e585da2afae57444fbf7cb26fa2fc (patch)
tree	c222e3d016e1af1014e25f8021bf168299381563 /lib/libc/i386/string
parent	4a461e9ee15f4073dfc50e849319dcb53fbbd66b (diff)
download	FreeBSD-src-100d07d8c12e585da2afae57444fbf7cb26fa2fc.zip FreeBSD-src-100d07d8c12e585da2afae57444fbf7cb26fa2fc.tar.gz