Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!apple!voder!wlbr!wlv!sms
From: sms@wlv.imsd.contel.com (Steven M. Schultz)
Newsgroups: comp.bugs.2bsd
Subject: shutdown(2) crashes system +FIX
Message-ID: <34088@wlbr.IMSD.CONTEL.COM>
Date: 27 Jul 89 04:43:23 GMT
Sender: news@wlbr.IMSD.CONTEL.COM
Reply-To: sms@wlv.imsd.contel.com (Steven M. Schultz)
Organization: Contel Federal Systems
Lines: 53
Keywords:

Subject: shutdown(2) crashes system
Index:	sys/uipc_sys.c 2.10BSD

Description:
	shutdown(fd, how) on a file descriptor which is not valid (either
	fd >= NFILE or fd is not open) can crash your system.

	In general, ANY socket related syscall (bind, accept, listen, connect,
	send, etc) will exhibit this behaviour because a common routine
	is called to validate fd.

Repeat-By:
	Compile and run this program.

	main()
		{

		sync();
		shutdown(15, 2);
		}

	If the bug is present in your system it will crash with a "netcrash"
	panic.

Fix:
	Install the following patch.  The problem was that the GETF macro
	can NOT be used because it can return prematurely with a garbage
	value (what ever happened to be in r0 at the time).

	Arguably, an alternate fix for the bug would have been to
	fix GETF to return 0 when a file descriptor was invalid.  The
	fix below implements the 4.3BSD approach (although GETF should
	still be fixed i believe).

*** uipc_sys.c.old	Wed Jul 26 16:05:58 1989
--- uipc_sys.c	Wed Jul 26 16:09:36 1989
***************
*** 712,718 ****
  {
  	register struct file *fp;
  
! 	GETF(fp, fdes);
  	if (fp == NULL)
  		return (0);
  	if (fp->f_type != DTYPE_SOCKET) {
--- 712,718 ----
  {
  	register struct file *fp;
  
! 	fp = getf(fdes);
  	if (fp == NULL)
  		return (0);
  	if (fp->f_type != DTYPE_SOCKET) {