[src/trunk]: src/lib/librmt Improve isrmt() check: it cannot be a rmt fd if t...

[pooka <pooka%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/435934763ee1
branches:  trunk
changeset: 762272:435934763ee1
user:      pooka <pooka%NetBSD.org@localhost>
date:      Fri Feb 18 16:10:09 2011 +0000

description:
Improve isrmt() check: it cannot be a rmt fd if there are no pipes
open for the fd.  Prevents collision with rumphijack.

Also, prevent potential hyperspace memory access.

Does someone want to write tests for this facility?

diffstat:

 lib/librmt/rmtlib.c |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (30 lines):

diff -r fd3f6fc8d0cd -r 435934763ee1 lib/librmt/rmtlib.c
--- a/lib/librmt/rmtlib.c       Fri Feb 18 16:06:20 2011 +0000
+++ b/lib/librmt/rmtlib.c       Fri Feb 18 16:10:09 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: rmtlib.c,v 1.22 2010/08/31 05:12:35 enami Exp $        */
+/*     $NetBSD: rmtlib.c,v 1.23 2011/02/18 16:10:09 pooka Exp $        */
 
 /*
  *     rmt --- remote tape emulator subroutines
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: rmtlib.c,v 1.22 2010/08/31 05:12:35 enami Exp $");
+__RCSID("$NetBSD: rmtlib.c,v 1.23 2011/02/18 16:10:09 pooka Exp $");
 
 #define RMTIOCTL       1
 /* #define USE_REXEC   1 */    /* rexec code courtesy of Dan Kegel, srs!dan */
@@ -670,8 +670,10 @@
 int
 isrmt(int fd)
 {
+       int unbias = fd - REM_BIAS;
 
-       return (fd >= REM_BIAS);
+       return (fd >= REM_BIAS) && unbias < MAXUNIT &&
+           (WRITE(unbias) != -1 || READ(unbias) != -1);
 }