Modify bcopy (and memcpy/memmove) so that the length value is not

re-read from the stack mid copy. This may help mitigate the recent Apache buffer overrun and future overruns of the sort. Reviewed by: jdp MFC after: 2 days
2002-06-27 03:55:36 +00:00 · 2002-06-27 03:55:36 +00:00 · 1228a1c634
commit 1228a1c634
parent 80536ead7f
1 changed files with 4 additions and 2 deletions
--- a/lib/libc/i386/string/bcopy.S
+++ b/lib/libc/i386/string/bcopy.S
@ -69,10 +69,11 @@ ENTRY(bcopy)
 	cmpl	%ecx,%eax	/* overlapping? */
 	jb	1f
 	cld			/* nope, copy forwards. */
+	movl	%ecx, %eax
 	shrl	$2,%ecx		/* copy by words */
 	rep
 	movsl
-	movl	20(%esp),%ecx
+	movl	%eax, %ecx
 	andl	$3,%ecx		/* any bytes left? */
 	rep
 	movsb
@ -86,12 +87,13 @@ ENTRY(bcopy)
 	addl	%ecx,%edi	/* copy backwards. */
 	addl	%ecx,%esi
 	std
+	movl	%ecx, %eax
 	andl	$3,%ecx		/* any fractional bytes? */
 	decl	%edi
 	decl	%esi
 	rep
 	movsb
-	movl	20(%esp),%ecx	/* copy remainder by words */
+	movl	%eax, %ecx	/* copy remainder by words */
 	shrl	$2,%ecx
 	subl	$3,%esi
 	subl	$3,%edi