From owner-freebsd-current@FreeBSD.ORG Mon Aug 10 17:10:50 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B912F10656A6 for ; Mon, 10 Aug 2009 17:10:50 +0000 (UTC) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8D4798FC42 for ; Mon, 10 Aug 2009 17:10:50 +0000 (UTC) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.14.2/8.14.1) with ESMTP id n7AHAkKh010286; Mon, 10 Aug 2009 10:10:46 -0700 (PDT) Received: (from dillon@localhost) by apollo.backplane.com (8.14.2/8.13.4/Submit) id n7AHAkod010285; Mon, 10 Aug 2009 10:10:46 -0700 (PDT) Date: Mon, 10 Aug 2009 10:10:46 -0700 (PDT) From: Matthew Dillon Message-Id: <200908101710.n7AHAkod010285@apollo.backplane.com> To: Rick Macklem References: <598778D3-AE7B-47AF-A4F9-0D832BC1A990@exscape.org> <00694EF2-9BBC-4733-91C7-A6AE973D8973@exscape.org> Cc: FreeBSD current , Robert Watson , Thomas Backman Subject: Re: nmap UDP scan against 8.0-CURRENT -> fatal trap 12 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Aug 2009 17:10:51 -0000 There are probably still some improper uses of signed integers for length tests, against lengths being too long. If the unsigned value is (signed)negative, the test doesn't catch it. Look for cases where fxdr_unsigned() is being passed a signed integer cast *OR* is being assigned to a signed integer type. I found a few in DFly but I haven't done a real audit. For example, nfs_serv.c line 2768 in the FreeBSD codebase is one such case: cnt = fxdr_unsigned(int, *tl); if (cnt > xfer) <<< WRONG, cnt and xfer are both signed. ... -Matt