I said: In article <DFALB4.A5u@sgi.sgi.com>, "Perry E. Metzger" <perry@piermont.com> writes:

...

I can tell you in general terms -- I don't write MIPS assembler myself. However, I will point out to you that you use an ancient Sendmail, and that it uses syslog(3) on user produced data, and that syslog uses a static buffer. Trick sendmail into logging something very big, and you can do what you like. The 8lgm people wrote a demo for Sparc as a proof of concept.

Hmm, after having looked at the syslogd code, it looks like this particular bug has been fixed for at least several years. However, there sure are a hell of a lot of fixed size buffers being alocated off the stack and some of them are being used in unsafe ways.

Whoops. Having done a little more checking, it appears that this bug does indeed occur in all current version of Irix. There's a patch for it (patch 825) that will be out imminently. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@engr.sgi.com