>> Given how limcopy() works, I think there is also a use-after-free
>> bug: [...]

> Arg, you're rigth. I don't know what's the best here:
> a) add a refcount for pl_corename
> b) always do a malloc() in limcopy() if pl_corename != defcorename

I'd prefer (b) - significantly less complicated.  Since normally only
shells mess with limits anyway, and seldom except at startup, I don't
expect it to be a very large penalty, even given the current behavior
you describe of calling limcopy() when setting any limit even if the
values match the current ones.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B