A terminology question for people. In this reference: BUGTRAQ:20061115 Re: DragonFlyBSD all versions FireWire IOCTL kernel integer overflow information disclousure http://www.securityfocus.com/archive/1/archive/1/451677/100/0/threaded The issue is being described as an integer overflow. I think of an integer overflow as being: "some computation (addition, multiplication) would produce an integer value that is too large to be stored in the actual memory location, so the integer wraps to some other value." (let's leave integer "underflow" out of this for the moment). However, the relevant code is given as: if (crom_buf->len < len) len = crom_buf->len; ... err = copyout(ptr, crom_buf->ptr, len); Here, the "len" value is not computed in any way, it's simply set. The comparison succeeds because it is in a signed context, but the copyout() is using an unsigned value. So, to me, this doesn't look like an "integer overflow," rather some issue that's directly related to what I call a "signedness error" and what others sometimes refer to as "signed comparison" issues. Based on what I've seen, integer overflows and signedness errors are often closely related, sometimes appearing in the same part of the code, so I think they get confused pretty frequently. Or am I not understanding something basic here? - Steve
