W3C home > Mailing lists > Public > www-lib@w3.org > October to December 2002

readdir_r stack overrun

From: David Kaelbling <drk@sgi.com>
Date: Tue, 10 Dec 2002 12:00:19 -0500
Message-ID: <3DF61DA3.4A128A82@sgi.com>
To: www-lib@w3.org

Browsing the w3c-libwww source code, it looks like if READDIR_R_3 is
defined (because --enable-reentrant is used) the stack will get
corrupted.  Both HTFile_readDir() and HTMulti.c's dir_matches() allocate
"struct dirent result;".  The buffer needs to be bigger.  The IRIX man
page says:

     ... The storage pointed to by entry shall be large enough 
     for a dirent with an array of char d_name member containing 
     at least {NAME_MAX} plus one elements.

If you pass something sizeof(struct dirent) then readdir_r will write
off the end of it when processing any non-trivial filename.

	David

-- 
David KAELBLING <drk@sgi.com>	    Silicon Graphics Computer Systems
1 Cabot Rd, suite 250; Hudson, MA 01749	    781.839.2157, fax ...2357
Received on Tuesday, 10 December 2002 12:02:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 23 April 2007 18:18:43 GMT