Bug 3776 - readdir() does not always return memory of sizeof(struct dirent)
Summary: readdir() does not always return memory of sizeof(struct dirent)
Status: RESOLVED INVALID
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.3.2
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-21 03:15 UTC by Derrell LIpman
Modified: 2016-05-08 13:59 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Derrell LIpman 2006-12-21 03:15:47 UTC 
The readdir() man page states that readdir() returns a pointer to a struct
dirent, and shows the fields of the dirent structure which include d_name[256].
 It appears, however, that readdir() actually returns a pointer to within the
dirp buffer, and if towards the end of the dirp buffer, the pointer returned by
readdir() may not be accessible through the full sizeof(struct dirent).  This
disallows structure assignments or memcpy of the entire structure as they cause
segmentation violations.

The easiest solution to this problem is probably to change the man page to
indicate that, although the structure has a d_name[256] field, it should be
treated, as with POSIX, as only long enough to hold the file name and its
terminating null character.  Accesses beyond that null byte may cause (and have
been seen in the wild to actually cause) a segmentation violation.
Comment 1 Ulrich Drepper 2006-12-21 06:32:44 UTC 
The man pages are not part of glibc and the info pages never say anywhere that
the object pointed to by the return value is at least as large as struct dirent.
 The code is fine, glibc's documentation is fine.