Subject: kern/17382: Repeated TIOCSCTTY calls corrupt session hold count
To: None <>
From: David Laight <>
List: netbsd-bugs
Date: 06/25/2002 10:57:27
>Number:         17382
>Category:       kern
>Synopsis:       Repeated TIOCSCTTY calls corrupt session hold count
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 25 02:58:00 PDT 2002
>Originator:     David Laight
>Release:        NetBSD 1.6B
System: NetBSD snowdrop 1.6B NetBSD 1.6B (GENERIC) #11: Mon Jun 24 13:09:25 BST 2002
dsl@snowdrop:/usr/bsd-current/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
	ttioctl in kern/tty.c contains (about line 984) contains:

        case TIOCSCTTY:                 /* become controlling tty */
                /* Session ctty vnode pointer set in vnode layer. */
                if (!SESS_LEADER(p) ||
                    ((p->p_session->s_ttyvp || tp->t_session) &&
                    (tp->t_session != p->p_session)))
                        return (EPERM);
                tp->t_session = p->p_session;
                tp->t_pgrp = p->p_pgrp;
                p->p_session->s_ttyp = tp;
                p->p_flag |= P_CONTROLT;
	As I read this, if it proceeds because (tp->t_session == p->p_session) 
	then it does an unnecessary SESSHOLD() - causing the reference
	count on the session structure to become invalid.

	Code inspection
	Rework the test... maybe:
+	    if (!tp->t_session) {
		    tp->t_session = p->p_session;
+	    }