Sender: nate AT cartsys DOT com Message-ID: <35A1652D.B77444A7@cartsys.com> Date: Mon, 06 Jul 1998 17:00:45 -0700 From: Nate Eldredge MIME-Version: 1.0 To: oonly AT mailexcite DOT com CC: djgpp AT delorie DOT com Subject: Re: __djgpp_nearptr_enable() question References: <35A0644F DOT 5588 AT mailexcite DOT com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Precedence: bulk Bob Berkawitz wrote: > > When the __djgpp_nearptr_enable() function is used what exactly does it > enable you to do and not do? I think it will help if I explain exactly what it does. On the 386, addresses are taken relative to a segment, which has a base and a limit. The virtual address is added to the base, and that is fed into the paging process, but I won't discuss paging here. However, if the virtual address is greater than the segment limit, a fault is signalled. `__djgpp_nearptr_enable' sets the limit of the default data segment to 0xffffffff, so that can never happen. Therefore, a pointer can wrap all the way around the address space, and point anywhere in memory. > Are all pointers you declare used like near pointers? Yes. > What is no longer protected after the function is called? Anything that isn't protected by the paging mechanisms, and there isn't much that is. On Windows, nothing is protected by paging. > Can you dammage your system now? Yup. > And if so, in what ways? Pointer overruns can do it in theory, though I suspect they'd be stopped when you tried to access memory that didn't exist and was never allocated by the DPMI server. An uninitialized pointer could do it easily: char *p; /* `p' is uninitialized; imagine it happens to be equal to __djgpp_conventional_base' */ memcpy(p, buf, 999) Voila! Overwrite of the interrupt vectors and a stunning crash. If you were unlucky enough that `p' pointed into the disk cache buffer, it would be worse yet. -- Nate Eldredge nate AT cartsys DOT com