Date: Mon, 10 Aug 2009 10:10:46 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: FreeBSD current <freebsd-current@freebsd.org>, Robert Watson <rwatson@freebsd.org>, Thomas Backman <serenity@exscape.org> Subject: Re: nmap UDP scan against 8.0-CURRENT -> fatal trap 12 Message-ID: <200908101710.n7AHAkod010285@apollo.backplane.com> References: <598778D3-AE7B-47AF-A4F9-0D832BC1A990@exscape.org> <Pine.GSO.4.63.0908091421360.18198@muncher.cs.uoguelph.ca> <00694EF2-9BBC-4733-91C7-A6AE973D8973@exscape.org> <Pine.GSO.4.63.0908091546510.5263@muncher.cs.uoguelph.ca> <alpine.BSF.2.00.0908092150550.36842@fledge.watson.org> <Pine.GSO.4.63.0908101236160.15949@muncher.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
There are probably still some improper uses of signed integers for
length tests, against lengths being too long. If the unsigned value
is (signed)negative, the test doesn't catch it.
Look for cases where fxdr_unsigned() is being passed a signed
integer cast *OR* is being assigned to a signed integer type.
I found a few in DFly but I haven't done a real audit.
For example, nfs_serv.c line 2768 in the FreeBSD codebase is one
such case:
cnt = fxdr_unsigned(int, *tl);
if (cnt > xfer) <<< WRONG, cnt and xfer are both signed.
...
-Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908101710.n7AHAkod010285>