Page History

The following example is based on a flaw discovered in the OpenBsd operating system \[[ref]\]. An integer, {{offset}}, is added as an offset to a pointer of type {{struct big}} and the sum ofis which isthen used as a destination address in a call to {{memset()}}. However, when {{offset}} is added to the {{struct bugbig}} pointer, it is automatically scaled by the size of {{struct big}}, which is 32 bytes (assuming 4 byte integers, 8 byte long long integers, and no structure padding). This results in the call to {{memset()}} writing to unintended memory.