[Full-disclosure] readdir_r considered harmful
3APA3A
3APA3A at SECURITY.NNOV.RU
Tue Nov 1 11:12:05 GMT 2005
Dear Ben Hutchings,
If someone uses pathconf to determine buffer size it's his own problem
and he creates vulnerability by himself. You can list such applications
as vulnerable to race conditions.
Recommended (according to POSIX) way is to use NAME_MAX:
buf = (struct dirent *)malloc( offsetof(struct dirent, d_name) +
NAME_MAX + 1))
See: The GNU C Library Reference Manual Chapter 14
and also POSIX standard itself says:
The storage pointed to by entry shall be large enough for a dirent
with an array of char d_name members containing at least
{NAME_MAX}+1 elements.
See:
http://www.opengroup.org/onlinepubs/009695399/functions/readdir.html
NAME_MAX is defined in limits.h and should be 255 according to latest
POSIX extension. I see no problem with POSIX standard in this case.
See:
http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html
--Tuesday, November 1, 2005, 6:57:03 AM, you wrote to bugtraq at securityfocus.com:
BH> readdir_r considered harmful
BH> ============================
BH> if ((dir = opendir(argv[1]))
BH> && (name_max = pathconf(argv[1], _PC_NAME_MAX)) > 0
BH> && (buf = (struct dirent *)malloc(
BH> offsetof(struct dirent, d_name) + name_max + 1))
--
~/ZARAZA
http://www.security.nnov.ru/
Full-Disclosure is hosted and sponsored by Secunia.