On 03/01/2016 11:21 PM, Florian Weimer wrote: > On 03/01/2016 10:01 PM, Michael Kerrisk (man-pages) wrote: >> On 03/01/2016 09:27 PM, Florian Weimer wrote: >>> On 03/01/2016 09:14 PM, Michael Kerrisk (man-pages) wrote: >>> >>>> What happens with readdir() when it gets a filename that is larger >>>> than 255 characters? >>> >>> Good question. Ugh. >>> >>> readdir will return a pointer to a struct dirent whose d_name member >>> will not be null-terminated, but the memory following the struct dirent >>> object will contain the rest of the name, and will eventually be >>> null-terminated. >> >> So, in other words, if the caller users a declaration of the form >> >> struct dirent d; >> >> (rather than say allocating a large buffer dynamically), then we have >> a buffer overrun? > > readdir gives you only a struct dirent * to an internal buffer. D'oh! Yes, of course. I wasn't thinking clearly as I wrote that last night. > If you do > > struct dirent *e = readdir (dir); > memcpy (&d, e, sizeof (d)); > > you can end up with a truncated name. Got it. > According to Paul's comment, this > kind of truncation is very visible on Solaris. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
