bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic) (10/07/87)
Subject: kernel tty indirect through zero
Index: sys/{tty.c,tty_pty.c} 4.3BSD
Description:
The kernel could indirect through a NULL pointer in the tty
driver.
Repeat-By:
Examine the code.
Fix:
Apply the following patches.
*** tty.c.old Tue Oct 6 20:18:25 1987
--- tty.c Tue Oct 6 20:19:27 1987
***************
*** 132,138 ****
register int s = spltty();
while ((tp->t_outq.c_cc || tp->t_state&TS_BUSY) &&
! tp->t_state&TS_CARR_ON) {
(*tp->t_oproc)(tp);
tp->t_state |= TS_ASLEEP;
sleep((caddr_t)&tp->t_outq, TTOPRI);
--- 132,138 ----
register int s = spltty();
while ((tp->t_outq.c_cc || tp->t_state&TS_BUSY) &&
! tp->t_state&TS_CARR_ON && tp->t_oproc) {
(*tp->t_oproc)(tp);
tp->t_state |= TS_ASLEEP;
sleep((caddr_t)&tp->t_outq, TTOPRI);
*** tty_pty.c.old Tue Oct 6 20:18:43 1987
--- tty_pty.c Tue Oct 6 20:19:06 1987
***************
*** 208,214 ****
return (EIO);
tp->t_oproc = ptsstart;
(void)(*linesw[tp->t_line].l_modem)(tp, 1);
- tp->t_state |= TS_CARR_ON;
pti = &pt_ioctl[minor(dev)];
pti->pt_flags = 0;
pti->pt_send = 0;
--- 208,213 ----
***************
*** 223,228 ****
--- 222,228 ----
tp = &pt_tty[minor(dev)];
(void)(*linesw[tp->t_line].l_modem)(tp, 0);
+ tp->t_state &= ~TS_CARR_ON;
tp->t_oproc = 0; /* mark closed */
}