nmap UDP scan against 8.0-CURRENT -> fatal trap 12
Matthew Dillon
dillon at apollo.backplane.com
Mon Aug 10 17:10:51 UTC 2009
There are probably still some improper uses of signed integers for
length tests, against lengths being too long. If the unsigned value
is (signed)negative, the test doesn't catch it.
Look for cases where fxdr_unsigned() is being passed a signed
integer cast *OR* is being assigned to a signed integer type.
I found a few in DFly but I haven't done a real audit.
For example, nfs_serv.c line 2768 in the FreeBSD codebase is one
such case:
cnt = fxdr_unsigned(int, *tl);
if (cnt > xfer) <<< WRONG, cnt and xfer are both signed.
...
-Matt
More information about the freebsd-current
mailing list