If an application closes one of its stdio descriptors (0..2),

an excessive close() on one of these descriptors would cause
a memory for this descriptor to be allocated in the internal
descriptor table.  When this descriptor gets used again, e.g.
through the call to open() or socket(), the descriptor would
be erroneously left in the blocking mode, and the whole
application would get stuck on a blocking operation, e.g.,
in accept(2).

Prevent this bug from happening by disallowing close() against
non-active descriptors (return -1 and set errno to EBADF in
this case).

Reviewed by:	deischen
Approved by:	re (scottl)

1 files changed, 4 insertions, 2 deletions

diff --git a/lib/libc_r/uthread/uthread_close.c b/lib/libc_r/uthread/uthread_close.c
index 22c9394..dedd3e9 100644
--- a/lib/libc_r/uthread/uthread_close.c
+++ b/lib/libc_r/uthread/uthread_close.c
@@ -49,9 +49,11 @@ _close(int fd)
 	struct stat	sb;
 	struct fd_table_entry	*entry;
 
-	if ((fd == _thread_kern_pipe[0]) || (fd == _thread_kern_pipe[1])) {
+	if ((fd == _thread_kern_pipe[0]) || (fd == _thread_kern_pipe[1]) ||
+	    (_thread_fd_table[fd] == NULL)) {
 		/*
-		 * Don't allow silly programs to close the kernel pipe.
+		 * Don't allow silly programs to close the kernel pipe
+		 * and non-active descriptors.
 		 */
 		errno = EBADF;
 		ret = -1;