Subject: kernel tty indirect through zero
Index: sys/{tty.c,tty_pty.c} 4.3BSD

Description:
	The kernel could indirect through a NULL pointer in the tty
	driver.
Repeat-By:
	Examine the code.
Fix:
	Apply the following patches.

*** tty.c.old	Tue Oct  6 20:18:25 1987
--- tty.c	Tue Oct  6 20:19:27 1987
***************
*** 132,138 ****
  	register int s = spltty();
  
  	while ((tp->t_outq.c_cc || tp->t_state&TS_BUSY) &&
! 	    tp->t_state&TS_CARR_ON) {
  		(*tp->t_oproc)(tp);
  		tp->t_state |= TS_ASLEEP;
  		sleep((caddr_t)&tp->t_outq, TTOPRI);
--- 132,138 ----
  	register int s = spltty();
  
  	while ((tp->t_outq.c_cc || tp->t_state&TS_BUSY) &&
! 	    tp->t_state&TS_CARR_ON && tp->t_oproc) {
  		(*tp->t_oproc)(tp);
  		tp->t_state |= TS_ASLEEP;
  		sleep((caddr_t)&tp->t_outq, TTOPRI);

*** tty_pty.c.old	Tue Oct  6 20:18:43 1987
--- tty_pty.c	Tue Oct  6 20:19:06 1987
***************
*** 208,214 ****
  		return (EIO);
  	tp->t_oproc = ptsstart;
  	(void)(*linesw[tp->t_line].l_modem)(tp, 1);
- 	tp->t_state |= TS_CARR_ON;
  	pti = &pt_ioctl[minor(dev)];
  	pti->pt_flags = 0;
  	pti->pt_send = 0;
--- 208,213 ----
***************
*** 223,228 ****
--- 222,228 ----
  
  	tp = &pt_tty[minor(dev)];
  	(void)(*linesw[tp->t_line].l_modem)(tp, 0);
+ 	tp->t_state &= ~TS_CARR_ON;
  	tp->t_oproc = 0;		/* mark closed */
  }