From 52cb1f8c5597fb04e1d7b9dcdc25638474c29fa7 Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@pond.sub.org>
Date: Fri, 6 Feb 2004 12:12:58 +0000
Subject: [PATCH] (io_open, io_iopfromfd): Properly check argument FD to
 protect io_list[] indexing. (niop, io_init): Store length of io_list[] in new
 niop. (player_accept): Checking the socket file descriptor here is now
 redundant.  Remove.

---
 src/lib/gen/io.c        | 16 ++++++++++++----
 src/lib/player/accept.c |  8 --------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/lib/gen/io.c b/src/lib/gen/io.c
index 00f971f1..10e55ed3 100644
--- a/src/lib/gen/io.c
+++ b/src/lib/gen/io.c
@@ -67,6 +67,7 @@
 extern struct player *player;	/* XXX */
 
 static struct iop **io_list;
+static int niop;
 static struct io_mask *iom;
 static int fdmax;		/* largest file descriptor seen */
 static fd_set newoutput;
@@ -85,25 +86,30 @@ void
 io_init(void)
 {
     iom = iom_create(IO_READ | IO_WRITE);
-    io_list = (struct iop **)calloc(getfdtablesize(), sizeof(*io_list));
+    niop = getfdtablesize();
+    io_list = (struct iop **)calloc(niop, sizeof(*io_list));
     fdmax = 0;
     FD_ZERO(&newoutput);
 }
 
 struct iop *
-io_open(int fd, int flags, int bufsize, int (*notify) (void),
+io_open(int fd, int flags, int bufsize, int (*notify)(void),
 	s_char *assoc)
 {
     struct iop *iop;
 
+    if (fd < 0 || niop < fd)
+	return NULL;
     if (io_list[fd] != 0) {
 	/* already exists */
-	return 0;
+	return NULL;
     }
     flags = flags & (IO_READ | IO_WRITE | IO_NBLOCK | IO_NEWSOCK);
     if ((flags & (IO_READ | IO_WRITE)) == 0)
-	return 0;
+	return NULL;
     iop = (struct iop *)malloc(sizeof(struct iop));
+    if (!iop)
+	return NULL;
     iop->fd = fd;
     iop->input = 0;
     iop->output = 0;
@@ -522,5 +528,7 @@ io_fileno(struct iop *iop)
 struct iop *
 io_iopfromfd(int fd)
 {
+    if (fd < 0 || niop < fd)
+	return NULL;
     return io_list[fd];
 }
diff --git a/src/lib/player/accept.c b/src/lib/player/accept.c
index cd31de67..787da8dd 100644
--- a/src/lib/player/accept.c
+++ b/src/lib/player/accept.c
@@ -200,7 +200,6 @@ player_accept(void *argv)
     int s;
     short port;
     int val;
-    int maxfd;
     struct player *np;
     int len;
     int ns;
@@ -248,7 +247,6 @@ player_accept(void *argv)
 	exit(1);
     }
 #endif
-    maxfd = getfdtablesize() - 1;
     while (1) {
 	empth_select(s, EMPTH_FD_READ);
 	len = sizeof(sin);
@@ -259,12 +257,6 @@ player_accept(void *argv)
 	}
 	(void)setsockopt(ns, SOL_SOCKET, SO_KEEPALIVE,
 			 (char *)&set, sizeof(set));
-	if (ns >= maxfd) {
-	    logerror("new fd %d, max %d, no fd's left for new user",
-		     ns, maxfd);
-	    close(ns);
-	    continue;
-	}
 	np = player_new(ns, &sin);
 	if (!np) {
 	    logerror("can't create player for fd %d", ns);