diff options
author | silby <silby@FreeBSD.org> | 2002-06-27 03:55:36 +0000 |
---|---|---|
committer | silby <silby@FreeBSD.org> | 2002-06-27 03:55:36 +0000 |
commit | 100d07d8c12e585da2afae57444fbf7cb26fa2fc (patch) | |
tree | c222e3d016e1af1014e25f8021bf168299381563 /lib/libc/i386 | |
parent | 4a461e9ee15f4073dfc50e849319dcb53fbbd66b (diff) | |
download | FreeBSD-src-100d07d8c12e585da2afae57444fbf7cb26fa2fc.zip FreeBSD-src-100d07d8c12e585da2afae57444fbf7cb26fa2fc.tar.gz |
Modify bcopy (and memcpy/memmove) so that the length value is not
re-read from the stack mid copy. This may help mitigate the recent
Apache buffer overrun and future overruns of the sort.
Reviewed by: jdp
MFC after: 2 days
Diffstat (limited to 'lib/libc/i386')
-rw-r--r-- | lib/libc/i386/string/bcopy.S | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/libc/i386/string/bcopy.S b/lib/libc/i386/string/bcopy.S index aaa701b..0046e57 100644 --- a/lib/libc/i386/string/bcopy.S +++ b/lib/libc/i386/string/bcopy.S @@ -69,10 +69,11 @@ ENTRY(bcopy) cmpl %ecx,%eax /* overlapping? */ jb 1f cld /* nope, copy forwards. */ + movl %ecx, %eax shrl $2,%ecx /* copy by words */ rep movsl - movl 20(%esp),%ecx + movl %eax, %ecx andl $3,%ecx /* any bytes left? */ rep movsb @@ -86,12 +87,13 @@ ENTRY(bcopy) addl %ecx,%edi /* copy backwards. */ addl %ecx,%esi std + movl %ecx, %eax andl $3,%ecx /* any fractional bytes? */ decl %edi decl %esi rep movsb - movl 20(%esp),%ecx /* copy remainder by words */ + movl %eax, %ecx /* copy remainder by words */ shrl $2,%ecx subl $3,%esi subl $3,%edi |