Add or correct range checking of signal numbers in system calls and

ioctls.

In the particular case of ptrace(), this commit more-or-less reverts
revision 1.53 of sys_process.c, which appears to have been erroneous.

Reviewed by:	iedowse, jhb

sys/dev/bktr/bktr_core.c

@@ -1553,7 +1553,7 @@ video_ioctl( bktr_ptr_t bktr, int unit, ioctl_cmd_t cmd, caddr_t arg, struct thr
 		break;
 
 	case METEORSSIGNAL:
-		if(*(int *)arg == 0 || *(int *)arg >= NSIG) {
+		if(*(int *)arg <= 0 || *(int *)arg > _SIG_MAXSIG) {
 			return( EINVAL );
 			break;
 		}

sys/i386/isa/spigot.c

@@ -222,6 +222,8 @@ struct	spigot_info	*info;
 	if(!data) return(EINVAL);
 	switch(cmd){
 	case	SPIGOT_SETINT:
+		if (*(int *)data < 0 || *(int *)data > _SIG_MAXSIG)
+			return EINVAL;
 		ss->p = td->td_proc;
 		ss->signal_num = *((int *)data);
 		break;

sys/kern/sys_process.c

@@ -525,8 +525,8 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
 	case PT_STEP:
 	case PT_CONTINUE:
 	case PT_DETACH:
-		/* XXX data is used even in the PT_STEP case. */
-		if (req != PT_STEP && (unsigned)data > _SIG_MAXSIG) {
+		/* Zero means do not send any signal */
+		if (data < 0 || data > _SIG_MAXSIG) {
 			error = EINVAL;
 			goto fail;
 		}

sys/pci/meteor.c

@@ -1392,6 +1392,8 @@ meteor_ioctl(dev_t dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 		*(u_short *)arg = mtr->fps;
 		break;
 	case METEORSSIGNAL:
+		if (*(int *)arg < 0 || *(int *)arg > _SIG_MAXSIG)
+			return EINVAL;
 		mtr->signal = *(int *) arg;
 		if (mtr->signal) {
 		  mtr->proc = td->td_proc;