If the file descriptors passed into do_dup() are negative, return EBADF

instead of panicing. Also, perform some of the simpler sanity checks on the fds before acquiring the filedesc lock. Approved by: re Reported by: Dan Nelson <dan@emsphone.com> and others
author: jhb <jhb@FreeBSD.org> 2002-11-26 17:22:15 +0000
committer: jhb <jhb@FreeBSD.org> 2002-11-26 17:22:15 +0000
commit: 390d1b415b4ef343dc89c751254861f0a69afeef (patch)
tree: 9ed4a394b401eaf22a67ecbfc26542743210735d /sys
parent: 2f11222833739f6b579a85ecde37ef6edf2e138c (diff)
download: FreeBSD-src-390d1b415b4ef343dc89c751254861f0a69afeef.zip
FreeBSD-src-390d1b415b4ef343dc89c751254861f0a69afeef.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 13b339b..852cd39 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -469,10 +469,11 @@ do_dup(td, type, old, new, retval)
 	 * Verify we have a valid descriptor to dup from and possibly to
 	 * dup to.
 	 */
+	if (old < 0 || new < 0 || new >= p->p_rlimit[RLIMIT_NOFILE].rlim_cur ||
+	    new >= maxfilesperproc)
+		return (EBADF);
 	FILEDESC_LOCK(fdp);
-	if (old >= fdp->fd_nfiles || fdp->fd_ofiles[old] == NULL ||
-	    new >= p->p_rlimit[RLIMIT_NOFILE].rlim_cur ||
-	    new >= maxfilesperproc) {
+	if (old >= fdp->fd_nfiles || fdp->fd_ofiles[old] == NULL) {
 		FILEDESC_UNLOCK(fdp);
 		return (EBADF);
 	}
author	jhb <jhb@FreeBSD.org>	2002-11-26 17:22:15 +0000
committer	jhb <jhb@FreeBSD.org>	2002-11-26 17:22:15 +0000
commit	390d1b415b4ef343dc89c751254861f0a69afeef (patch)
tree	9ed4a394b401eaf22a67ecbfc26542743210735d /sys
parent	2f11222833739f6b579a85ecde37ef6edf2e138c (diff)
download	FreeBSD-src-390d1b415b4ef343dc89c751254861f0a69afeef.zip FreeBSD-src-390d1b415b4ef343dc89c751254861f0a69afeef.tar.gz