On Tue, Mar 01, 2016 at 11:21:11PM +0100, Florian Weimer wrote: > On 03/01/2016 10:01 PM, Michael Kerrisk (man-pages) wrote: > > On 03/01/2016 09:27 PM, Florian Weimer wrote: > >> On 03/01/2016 09:14 PM, Michael Kerrisk (man-pages) wrote: > >> > >>> What happens with readdir() when it gets a filename that is larger > >>> than 255 characters? > >> > >> Good question. Ugh. > >> > >> readdir will return a pointer to a struct dirent whose d_name member > >> will not be null-terminated, but the memory following the struct dirent > >> object will contain the rest of the name, and will eventually be > >> null-terminated. > > > > So, in other words, if the caller users a declaration of the form > > > > struct dirent d; > > > > (rather than say allocating a large buffer dynamically), then we have > > a buffer overrun? > > readdir gives you only a struct dirent * to an internal buffer. If you do > > struct dirent *e = readdir (dir); > memcpy (&d, e, sizeof (d)); > > you can end up with a truncated name. According to Paul's comment, this > kind of truncation is very visible on Solaris. POSIX also cautions you that this is a permitted definition. See: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/dirent.h.html It's covered under the description and rationale. Rich -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
