> > - The check is at the outside of the loop.
> > - It is done only if the destination address < the source address (+length)
  for arch/i386/string/bcopy.S, dest < source+length
  for string/bcopy.c, dest > source
> > - Many applications uses gcc's builtin memcpy().
> 
> 	unluckily the 3rd bullet means that the patch won't take effect
> 	to most of the binaries, am i right?  do we want to modify gcc to
> 	generate the change you've proposed?

Right and no.  The exploit succeeds if and only if memcpy() is
compatible with memmove().  Gcc's builtin memcpy() is not.

-- 
TAMURA Kent <kent2002@hauN.org> <kent@netbsd.org>