nmap UDP scan against 8.0-CURRENT -> fatal trap 12

Matthew Dillon dillon at apollo.backplane.com
Mon Aug 10 17:10:51 UTC 2009

    There are probably still some improper uses of signed integers for
    length tests, against lengths being too long.  If the unsigned value
    is (signed)negative, the test doesn't catch it.

    Look for cases where fxdr_unsigned() is being passed a signed
    integer cast *OR* is being assigned to a signed integer type.
    I found a few in DFly but I haven't done a real audit.

    For example, nfs_serv.c line 2768 in the FreeBSD codebase is one
    such case:

	cnt = fxdr_unsigned(int, *tl);
	if (cnt > xfer)		<<< WRONG, cnt and xfer are both signed.


More information about the freebsd-current mailing list