Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!necntc!ames!sdcsvax!ucbvax!OKEEFFE.BERKELEY.EDU!bostic
From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic)
Newsgroups: comp.bugs.4bsd.ucb-fixes
Subject: V1.39 (kernel tty indirect through zero)
Message-ID: <8710070328.AA21589@okeeffe.Berkeley.EDU>
Date: Tue, 6-Oct-87 23:28:59 EDT
Article-I.D.: okeeffe.8710070328.AA21589
Posted: Tue Oct  6 23:28:59 1987
Date-Received: Sat, 10-Oct-87 06:32:44 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 53
Approved: ucb-fixes@okeeffe.berkeley.edu

Subject: kernel tty indirect through zero
Index: sys/{tty.c,tty_pty.c} 4.3BSD

Description:
	The kernel could indirect through a NULL pointer in the tty
	driver.
Repeat-By:
	Examine the code.
Fix:
	Apply the following patches.

*** tty.c.old	Tue Oct  6 20:18:25 1987
--- tty.c	Tue Oct  6 20:19:27 1987
***************
*** 132,138 ****
  	register int s = spltty();
  
  	while ((tp->t_outq.c_cc || tp->t_state&TS_BUSY) &&
! 	    tp->t_state&TS_CARR_ON) {
  		(*tp->t_oproc)(tp);
  		tp->t_state |= TS_ASLEEP;
  		sleep((caddr_t)&tp->t_outq, TTOPRI);
--- 132,138 ----
  	register int s = spltty();
  
  	while ((tp->t_outq.c_cc || tp->t_state&TS_BUSY) &&
! 	    tp->t_state&TS_CARR_ON && tp->t_oproc) {
  		(*tp->t_oproc)(tp);
  		tp->t_state |= TS_ASLEEP;
  		sleep((caddr_t)&tp->t_outq, TTOPRI);

*** tty_pty.c.old	Tue Oct  6 20:18:43 1987
--- tty_pty.c	Tue Oct  6 20:19:06 1987
***************
*** 208,214 ****
  		return (EIO);
  	tp->t_oproc = ptsstart;
  	(void)(*linesw[tp->t_line].l_modem)(tp, 1);
- 	tp->t_state |= TS_CARR_ON;
  	pti = &pt_ioctl[minor(dev)];
  	pti->pt_flags = 0;
  	pti->pt_send = 0;
--- 208,213 ----
***************
*** 223,228 ****
--- 222,228 ----
  
  	tp = &pt_tty[minor(dev)];
  	(void)(*linesw[tp->t_line].l_modem)(tp, 0);
+ 	tp->t_state &= ~TS_CARR_ON;
  	tp->t_oproc = 0;		/* mark closed */
  }