Synopsis: Repeated TIOCSCTTY ioctl can corrupt session hold counts
NetBSD versions: -current, 1.6*, 1.5
Thanks to: David Laight, Jaromir Dolecek
Reported in NetBSD Security Advisory: NetBSD-SA2002-007

Index: kern/tty.c
===================================================================
RCS file: /cvsroot/syssrc/sys/kern/tty.c,v
retrieving revision 1.138
retrieving revision 1.139
diff -u -p -c -p -r1.138 -r1.139
*** kern/tty.c	2002/05/02 13:38:57	1.138
--- kern/tty.c	2002/07/21 20:43:53	1.139
***************
*** 987,992 ****
--- 987,996 ----
  		    ((p->p_session->s_ttyvp || tp->t_session) &&
  		    (tp->t_session != p->p_session)))
  			return (EPERM);
+ 
+ 		if (tp->t_session)
+ 			SESSRELE(tp->t_session);
+ 
  		SESSHOLD(p->p_session);
  		tp->t_session = p->p_session;
  		tp->t_pgrp = p->p_pgrp;