Fixed null pointer panic in devtotty(). Fixed bounds checking in

devtotty().  devtotty() must check its arg carefully since the arg is
supplied as ioctl data.  This should fix PR3004.

Renamed devtotty() to snpdevtotty().

1 files changed, 13 insertions, 7 deletions

diff --git a/sys/kern/tty_snoop.c b/sys/kern/tty_snoop.c
index c09ccd7..0e14b60 100644
--- a/sys/kern/tty_snoop.c
+++ b/sys/kern/tty_snoop.c
@@ -54,17 +54,23 @@ static struct cdevsw snp_cdevsw =
 
 static struct snoop snoopsw[NSNP];
 
-static struct tty	*devtotty __P((dev_t dev));
+static struct tty	*snpdevtotty __P((dev_t dev));
 static int		snp_detach __P((struct snoop *snp));
 
 static struct tty *
-devtotty (dev)
+snpdevtotty (dev)
 	dev_t		dev;
 {
-	if (major(dev) > nchrdev)
-		return (NULL);		/* no such device available */
-
-	return (*cdevsw[major(dev)]->d_devtotty)(dev);
+	struct cdevsw	*cdp;
+	int		maj;
+
+	maj = major(dev);
+	if ((u_int)maj >= nchrdev)
+		return (NULL);
+	cdp = cdevsw[maj];
+	if (cdp == NULL)
+		return (NULL);
+	return ((*cdp->d_devtotty)(dev));
 }
 
 #define SNP_INPUT_BUF	5	/* This is even too  much,the maximal
@@ -404,7 +410,7 @@ snpioctl(dev, cmd, data, flags, p)
 		if (tdev == -1)
 			return (snpdown(snp));
 
-		tp = devtotty(tdev);
+		tp = snpdevtotty(tdev);
 		if (!tp)
 			return (EINVAL);