From owner-freebsd-hackers  Sun May 14 12:12:41 2000
Delivered-To: freebsd-hackers@freefall.freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 9169037BE4B
	for <freebsd-hackers@freefall.freebsd.org>; Sun, 14 May 2000 12:12:33 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id MAA07098;
	Sun, 14 May 2000 12:12:33 -0700 (PDT)
	(envelope-from dillon)
Date: Sun, 14 May 2000 12:12:33 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200005141912.MAA07098@apollo.backplane.com>
To: freebsd-hackers@freefall.freebsd.org
Subject: PR kern/18346 - struct file ref count is a short, can be overflowed
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

    PR kern/18346

    I would like to bump struct file f_count and f_msgcount from
    a short to an int, in both 5.x and 4.x, because the program
    supplied with the PR can demonstratably crash the machine from
    userland and cause other serious problems, such as file descriptor
    stealing (what happens when you roll the ref count to 0?).  Any 
    objections?


    Modules that use the struct file directly:
	
	(misc in-kernel modules)

	miscsf/portal
	miscfs/union
	miscfs/fdesc
	miscfs/fifofs
	netgraph
	dev/streams
	linux module

    Programs:
	'pstat' program
	'fstat' program

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message