
Reversing Apple’s syslogd bug - adamnemecek
https://reverse.put.as/2016/01/22/reversing-apples-syslogd-bug/
======
erydo
This is a fantastic reverse-engineering writeup. It's always fun to see this
kind of thing on HN.

------
Twirrim
I'm curious whether any of the standard source code analysis tools would have
caught this.

~~~
Etheryte
I doubt it, as the buggy code wasn't nonsense in the usual sense.

~~~
Someone
But it was suspicious. Seeing

    
    
      1 * sizeof(int)
    

directly in the code, not in a macro expansion, in my book is somewhat
suspicious (people could do that for symmetry in a series of similar lines of
code), but

    
    
      whatever_count + x * sizeof(int)
    

could easily trigger a heuristic "thou shalt not add a count and a size"

The code does not even need to be smart enough to determine that
"whatever_count" is used as a count; if it actually is a size, it is worth
warning about, too, so a somewhat vague warning would, in my book, be fine.

~~~
HappyTypist
That makes sense. If it's not there, it's probably something that should be
added.

------
psykovsky
Off-topic, but "put.as" to a Portuguese is like "hooke.rs" to an
American/British. A great domain name for an "escort" service or porn site,
I'll give you that :)

~~~
TazeTSchnitzel
It appears to be very intentional: [http://put.as/](http://put.as/)

~~~
voltagex_
Might want to add a NSFW warning to that link.

