Date: Thu, 14 Jun 2007 01:22:44 GMT From: Ed Ravin <eravin@panix.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/113668: scandir(3) uses st_size of directory in unsupported manner Message-ID: <200706140122.l5E1MiAQ009617@www.freebsd.org> Resent-Message-ID: <200706140130.l5E1U3r7027084@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 113668 >Category: misc >Synopsis: scandir(3) uses st_size of directory in unsupported manner >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 14 01:30:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Ed Ravin >Release: >Organization: Public Access Networks >Environment: >Description: src/lib/libc/gen/scandir.c assumes that a directory's st_size is multiples of 24. This is against POSIX, which doesn't define what st_size means for directories, and will cause problems when run against an NFS-exported ZFS file system from a Solaris box, where st_size is the number of entries in the directory. For example, a 5-entry directory returns st_size of 5, and then scandir does "arraysz= st_size / 24", and then does a malloc() of arraysz bytes, then writes something into the memory (that wasn't) allocated. See also NetBSD bug PR/36464. OpenBSD is similarly affected. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706140122.l5E1MiAQ009617>