Created attachment 166034 [details] A test program that demonstrates the buffer overflow Please see attached file evil.c for a possible scenario where it's possible to trigger buffer overflow. It uses a somewhat contrived example of non-blocking pipes as an underlying file descriptor, mainly because it's easy to trigger (partially) failed writes. The defect can be located in the code /usr/src/lib/libc/stdio/fflush.c and function __sflush. Line-buffered files where write(s) has partially succeeded will have their internal write pointer increased, but not getting a corresponding write space decrease. (so, the defect is: if fp is a FILE *, then fp->_p is increased but fp->_w is NOT decreased in this situation) Sample output on my FREEBSD 10.2-RELEASE-p7 amd64 machine: zsh 1311 % cc evil.c -o evil && ./evil rc from fread(1): 1 rc from fwrite(1): 1 rc from fwrite(1021): 1021 rc from fflush: -1 rc from fwrite(1): 1 rc from fwrite(4): 4 Canary overwritten: 97 65 98 66