From 6cd5630e137fcebe649675490aa935f5d00b1516 Mon Sep 17 00:00:00 2001
From: christos <christos@NetBSD.org>
Date: Fri, 13 Nov 2015 15:22:12 +0000
Subject: [PATCH] Do proper accounting for the extra -1 slot. Perhaps this is
 too confusing and it would be better to just access the array with [fd + 1]
 instead?

---
 lib/libc/rpc/svc.c | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/lib/libc/rpc/svc.c b/lib/libc/rpc/svc.c
index 08c8c317c962..798ade0f6a15 100644
--- a/lib/libc/rpc/svc.c
+++ b/lib/libc/rpc/svc.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: svc.c,v 1.38 2015/11/13 11:43:26 tron Exp $	*/
+/*	$NetBSD: svc.c,v 1.39 2015/11/13 15:22:12 christos Exp $	*/
 
 /*
  * Copyright (c) 2010, Oracle America, Inc.
@@ -37,7 +37,7 @@
 static char *sccsid = "@(#)svc.c 1.44 88/02/08 Copyr 1984 Sun Micro";
 static char *sccsid = "@(#)svc.c	2.4 88/08/11 4.0 RPCSRC";
 #else
-__RCSID("$NetBSD: svc.c,v 1.38 2015/11/13 11:43:26 tron Exp $");
+__RCSID("$NetBSD: svc.c,v 1.39 2015/11/13 15:22:12 christos Exp $");
 #endif
 #endif
 
@@ -130,34 +130,41 @@ static void __xprt_do_unregister(SVCXPRT *xprt, bool_t dolock);
 static bool_t
 xprt_alloc(int sock)
 {
-	int maxset;
+	int oldmaxxports, newmaxxports;
 	SVCXPRT **oldxports, **newxports;
 
 	if (++sock < 0)
 		return FALSE;
 
-	maxset = svc_fdset_getsize(sock);
-	if (maxset == -1)
+	newmaxxports = svc_fdset_getsize(sock);
+	if (newmaxxports == -1)
 		return FALSE;
 
-	if (__svc_xports != NULL && maxset <= __svc_maxxports)
+	if (__svc_xports != NULL && newmaxxports < __svc_maxxports)
 		return TRUE;
 
 	oldxports = __svc_xports;
-	if (oldxports != NULL)
+	oldmaxxports = __svc_maxxports;
+	if (oldxports != NULL) {
+		/* revert saving [-1] slot */
 		--oldxports;
-	newxports = realloc(oldxports, maxset * sizeof(SVCXPRT *));
+		++oldmaxxports;
+	}
+
+	/* reserve an extra slot for [-1] */
+	newmaxxports++;
+	newxports = realloc(oldxports, newmaxxports * sizeof(SVCXPRT *));
 	if (newxports == NULL) {
 		warn("%s: out of memory", __func__);
 		return FALSE;
 	}
 
-	memset(&newxports[__svc_maxxports], 0,
-	    (maxset - __svc_maxxports) * sizeof(SVCXPRT *));
+	memset(&newxports[oldmaxxports], 0,
+	    (newmaxxports - oldmaxxports) * sizeof(SVCXPRT *));
 
-	__svc_xports = newxports;
-	__svc_xports++;
-	__svc_maxxports = maxset;
+	/* save one slot for [-1] */
+	__svc_xports = newxports + 1;
+	__svc_maxxports = newmaxxports - 1;
 
 	return TRUE;
 }