misc/113668: scandir(3) uses st_size of directory in unsupported
manner
Ed Ravin
eravin at panix.com
Thu Jun 14 01:30:04 UTC 2007
>Number: 113668
>Category: misc
>Synopsis: scandir(3) uses st_size of directory in unsupported manner
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 14 01:30:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Ed Ravin
>Release:
>Organization:
Public Access Networks
>Environment:
>Description:
src/lib/libc/gen/scandir.c assumes that a directory's st_size is multiples of 24. This is against POSIX, which doesn't define what st_size means for directories, and will cause problems when run against an NFS-exported ZFS file system from a Solaris box, where st_size is the number of entries in the directory. For example, a 5-entry directory returns st_size of 5, and then scandir does "arraysz= st_size / 24", and then does a malloc() of arraysz bytes, then writes something into the memory (that wasn't) allocated.
See also NetBSD bug PR/36464. OpenBSD is similarly affected.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list