If the trap number stored in the trapframe is corrupted into a negative

value, then we would use a negative index into the trap_msg[] array
resulting in a nested page fault.  Make the 'type' variable holding the
trap number unsigned to avoid this.

MFC after:	2 weeks
Approved by:	re (rwatson)

2 files changed, 8 insertions, 4 deletions

diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c
index 082433b..2df156c 100644
--- a/sys/amd64/amd64/trap.c
+++ b/sys/amd64/amd64/trap.c
@@ -159,7 +159,8 @@ trap(struct trapframe *frame)
 {
 	struct thread *td = curthread;
 	struct proc *p = td->td_proc;
-	int i = 0, ucode = 0, type, code;
+	int i = 0, ucode = 0, code;
+	u_int type;
 	register_t addr = 0;
 	ksiginfo_t ksi;
 
@@ -622,7 +623,8 @@ trap_fatal(frame, eva)
 	struct trapframe *frame;
 	vm_offset_t eva;
 {
-	int code, type, ss;
+	int code, ss;
+	u_int type;
 	long esp;
 	struct soft_segment_descriptor softseg;
 	char *msg;
diff --git a/sys/i386/i386/trap.c b/sys/i386/i386/trap.c
index a528a92..ee8fe6a 100644
--- a/sys/i386/i386/trap.c
+++ b/sys/i386/i386/trap.c
@@ -173,7 +173,8 @@ trap(struct trapframe *frame)
 {
 	struct thread *td = curthread;
 	struct proc *p = td->td_proc;
-	int i = 0, ucode = 0, type, code;
+	int i = 0, ucode = 0, code;
+	u_int type;
 	register_t addr = 0;
 	vm_offset_t eva;
 	ksiginfo_t ksi;
@@ -793,7 +794,8 @@ trap_fatal(frame, eva)
 	struct trapframe *frame;
 	vm_offset_t eva;
 {
-	int code, type, ss, esp;
+	int code, ss, esp;
+	u_int type;
 	struct soft_segment_descriptor softseg;
 	char *msg;