From f836d17195f74753aaca222d2b5f96e062775f2d Mon Sep 17 00:00:00 2001
From: pooka <pooka@NetBSD.org>
Date: Fri, 18 Feb 2011 16:10:09 +0000
Subject: [PATCH] Improve isrmt() check: it cannot be a rmt fd if there are no
 pipes open for the fd.  Prevents collision with rumphijack.

Also, prevent potential hyperspace memory access.

Does someone want to write tests for this facility?
---
 lib/librmt/rmtlib.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/librmt/rmtlib.c b/lib/librmt/rmtlib.c
index 89d2483bd1ab..5180f223ecea 100644
--- a/lib/librmt/rmtlib.c
+++ b/lib/librmt/rmtlib.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: rmtlib.c,v 1.22 2010/08/31 05:12:35 enami Exp $	*/
+/*	$NetBSD: rmtlib.c,v 1.23 2011/02/18 16:10:09 pooka Exp $	*/
 
 /*
  *	rmt --- remote tape emulator subroutines
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: rmtlib.c,v 1.22 2010/08/31 05:12:35 enami Exp $");
+__RCSID("$NetBSD: rmtlib.c,v 1.23 2011/02/18 16:10:09 pooka Exp $");
 
 #define RMTIOCTL	1
 /* #define USE_REXEC	1 */	/* rexec code courtesy of Dan Kegel, srs!dan */
@@ -670,8 +670,10 @@ rmtaccess(const char *path, int amode)
 int
 isrmt(int fd)
 {
+	int unbias = fd - REM_BIAS;
 
-	return (fd >= REM_BIAS);
+	return (fd >= REM_BIAS) && unbias < MAXUNIT &&
+	    (WRITE(unbias) != -1 || READ(unbias) != -1);
 }