From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <6d31ccaeeb641db8911b837f7905949a@felloff.net>
Date: Mon, 26 May 2014 22:09:04 +0200
From: cinap_lenrek@felloff.net
To: 9fans@9fans.net
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: [9fans] devproc procctl close bug
Topicbox-Message-UUID: f1472598-ead8-11e9-9d60-3106f5b1d025

theres a bug in devproc again.

the fd is not bounds checked for the "close fd"
procctl command and the "closefiles" command misses
the last fd as it iterates from:

fd=0 to maxfd-1 and not to maxfd in procctlclosefiles()

static void
procctlcloseone(Proc *p, Fgrp *f, int fd)
{
	Chan *c;

	c = f->fd[fd];	// <-- not checked
	if(c == nil)
		return;
	f->fd[fd] = nil;
	unlock(f);
	qunlock(&p->debug);
	cclose(c);
	qlock(&p->debug);
	lock(f);
}

procctlclosefiles(Proc *p, int all, int fd)
{
	int i;
	Fgrp *f;

	f = p->fgrp;
	if(f == nil)
		error(Eprocdied);

	lock(f);
	f->ref++;
	if(all)
		for(i = 0; i < f->maxfd; i++)	// <-- wrong
			procctlcloseone(p, f, i);
	else
		procctlcloseone(p, f, fd);
	unlock(f);
	closefgrp(f);
}

...
	case CMclose:
		procctlclosefiles(p, 0, atoi(cb->f[1]));	// <-- fd can be anything
		break;
	case CMclosefiles:
		procctlclosefiles(p, 1, 0);
		break;

--
cinap