From owner-freebsd-hackers  Sun May 14 12:22:47 2000
Delivered-To: freebsd-hackers@freefall.freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id 3BE0A37B63D
	for <freebsd-hackers@freefall.freebsd.org>; Sun, 14 May 2000 12:22:42 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id VAA01177;
	Sun, 14 May 2000 21:22:04 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: freebsd-hackers@freefall.freebsd.org
Subject: Re: PR kern/18346 - struct file ref count is a short, can be overflowed 
In-reply-to: Your message of "Sun, 14 May 2000 12:12:33 PDT."
             <200005141912.MAA07098@apollo.backplane.com> 
Date: Sun, 14 May 2000 21:22:03 +0200
Message-ID: <1175.958332123@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <200005141912.MAA07098@apollo.backplane.com>, Matthew Dillon writes:
>    PR kern/18346
>
>    I would like to bump struct file f_count and f_msgcount from
>    a short to an int, in both 5.x and 4.x, because the program
>    supplied with the PR can demonstratably crash the machine from
>    userland and cause other serious problems, such as file descriptor
>    stealing (what happens when you roll the ref count to 0?).  Any 
>    objections?

Agreed.

--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD coreteam member | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message