nmap UDP scan against 8.0-CURRENT -> fatal trap 12
dillon at apollo.backplane.com
Mon Aug 10 17:10:51 UTC 2009
There are probably still some improper uses of signed integers for
length tests, against lengths being too long. If the unsigned value
is (signed)negative, the test doesn't catch it.
Look for cases where fxdr_unsigned() is being passed a signed
integer cast *OR* is being assigned to a signed integer type.
I found a few in DFly but I haven't done a real audit.
For example, nfs_serv.c line 2768 in the FreeBSD codebase is one
cnt = fxdr_unsigned(int, *tl);
if (cnt > xfer) <<< WRONG, cnt and xfer are both signed.
More information about the freebsd-current