CVE-2005-4733

A local user calls the `F_CLOSEM` fcntl with a parameter value of 0 [ref_id=1]. Because `fd_lastfile` is 0 when no file descriptors are open, the kernel interprets this as "file descriptor 0 is the last open fd" and enters an infinite loop attempting to close descriptors, causing a system hang [ref_id=1]. No special privileges or network access are required — only the ability to invoke the fcntl syscall locally.

The vulnerability is in `src/sys/kern/kern_descrip.c` [ref_id=1]. The `find_last_set` function could return 0 both when file descriptor 0 was open and when no file descriptors were open at all, because `fd_lastfile` was initialized to 0 instead of -1 [ref_id=1].

The patch changes `fd_lastfile` to be initialized to -1 instead of 0, and makes `find_last_set` return -1 when no file descriptors are open [ref_id=1]. This eliminates the ambiguity where 0 meant both "fd 0 is open" and "no fds are open", which previously caused the `F_CLOSEM` fcntl to loop indefinitely [ref_id=1]. A secondary fix corrects the `memset()` size in `fdcopy()` that was clearing more entries than needed [ref_id=1].

The reference write-up does not include reproduction steps beyond describing the trigger: calling `F_CLOSEM` fcntl with a parameter value of 0 when no file descriptors are open [ref_id=1].