Sender:	nate AT cartsys DOT com
Message-ID:	<35A1652D.B77444A7@cartsys.com>
Date:	Mon, 06 Jul 1998 17:00:45 -0700
From:	Nate Eldredge <nate AT cartsys DOT com>
MIME-Version:	1.0
To:	oonly AT mailexcite DOT com
CC:	djgpp AT delorie DOT com
Subject:	Re: __djgpp_nearptr_enable() question
References:	<35A0644F DOT 5588 AT mailexcite DOT com>

Bob Berkawitz wrote:
> 
> When the __djgpp_nearptr_enable() function is used what exactly does it
> enable you to do and not do?

I think it will help if I explain exactly what it does.

On the 386, addresses are taken relative to a segment, which has a base
and a limit.  The virtual address is added to the base, and that is fed
into the paging process, but I won't discuss paging here.  However, if
the virtual address is greater than the segment limit, a fault is
signalled.  `__djgpp_nearptr_enable' sets the limit of the default data
segment to 0xffffffff, so that can never happen.  Therefore, a pointer
can wrap all the way around the address space, and point anywhere in
memory.

> Are all pointers you declare used like near pointers?

Yes.

> What is no longer protected after the function is called?

Anything that isn't protected by the paging mechanisms, and there isn't
much that is.  On Windows, nothing is protected by paging.

> Can you dammage your system now?

Yup.

> And if so, in what ways?

Pointer overruns can do it in theory, though I suspect they'd be stopped
when you tried to access memory that didn't exist and was never
allocated by the DPMI server.  An uninitialized pointer could do it
easily:

char *p;
/* `p' is uninitialized;
  imagine it happens to be equal to __djgpp_conventional_base' */
memcpy(p, buf, 999)

Voila!  Overwrite of the interrupt vectors and a stunning crash.  If you
were unlucky enough that `p' pointed into the disk cache buffer, it
would be worse yet.


-- 

Nate Eldredge
nate AT cartsys DOT com

- Raw text -