echo > /proc/ ^ `{cat /dev/ppid} ^ /noteid => system crash
problem appears when any garbage will sent to noteid. in turn, id=atoi(a) will become 0, loop will find first zeroed proc entry and strcmp will kill system. However, one doubt still here: atoi call. If n equals to zero, it will dereference pointer a.

Notes:
Mon Jan 24 11:46:40 EST 2005 jmk
    
    I have applied this patch.
    I've had 'stamp out atoi in the kernel' in my
    todo list for some time, so I won't put this
    patch into the 'applied' state yet as a reminder
    to do the right thing.
    
    --jim
    


Reference: /n/sources/patch/applied/kernel-devproc
Date: Wed Feb  2 18:21:37 CET 2005
Reviewed-by: jmk

--- /sys/src/9/port/devproc.c	Wed Feb  2 18:21:37 2005
+++ /sys/src/9/port/devproc.c	Wed Feb  2 18:21:37 2005
@@ -1097,7 +1097,7 @@
 		}
 		t = proctab(0);
 		for(et = t+conf.nproc; t < et; t++) {
-			if(id == t->noteid) {
+			if(id == t->noteid && t->state != Dead) {
 				if(strcmp(p->user, t->user) != 0)
 					error(Eperm);
 				p->noteid = id;