There are probably still some improper uses of signed integers for length tests, against lengths being too long. If the unsigned value is (signed)negative, the test doesn't catch it. Look for cases where fxdr_unsigned() is being passed a signed integer cast *OR* is being assigned to a signed integer type. I found a few in DFly but I haven't done a real audit. For example, nfs_serv.c line 2768 in the FreeBSD codebase is one such case: cnt = fxdr_unsigned(int, *tl); if (cnt > xfer) <<< WRONG, cnt and xfer are both signed. ... -MattReceived on Mon Aug 10 2009 - 15:10:50 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:53 UTC