On 03/01/2016 10:01 PM, Michael Kerrisk (man-pages) wrote: > On 03/01/2016 09:27 PM, Florian Weimer wrote: >> On 03/01/2016 09:14 PM, Michael Kerrisk (man-pages) wrote: >> >>> What happens with readdir() when it gets a filename that is larger >>> than 255 characters? >> >> Good question. Ugh. >> >> readdir will return a pointer to a struct dirent whose d_name member >> will not be null-terminated, but the memory following the struct dirent >> object will contain the rest of the name, and will eventually be >> null-terminated. > > So, in other words, if the caller users a declaration of the form > > struct dirent d; > > (rather than say allocating a large buffer dynamically), then we have > a buffer overrun? readdir gives you only a struct dirent * to an internal buffer. If you do struct dirent *e = readdir (dir); memcpy (&d, e, sizeof (d)); you can end up with a truncated name. According to Paul's comment, this kind of truncation is very visible on Solaris. Florian -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
