Bug 8466 - Fix bad assumption about dirent definition in dirsort plugin
Fix bad assumption about dirent definition in dirsort plugin
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: VFS Modules
3.6.0
All Solaris
: P5 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-17 05:27 UTC by (account disabled)
Modified: 2011-09-17 05:27 UTC (History)
0 users

See Also:


Attachments
Fix invalid assumption about dirent structure definition (7.06 KB, patch)
2011-09-17 05:27 UTC, (account disabled)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description (account disabled) 2011-09-17 05:27:44 UTC
Created attachment 6904 [details]
Fix invalid assumption about dirent structure definition

The code assumed that dirent.d_name is statically defined as an array
large enough to hold the name. On Solaris this isn't the case: d_name
is defined as 'char d_name[1]'. Posix also does not specify that the
static definition must be a full-sized array. The result is a major
buffer overflow on such systems.

One implication of this is that dirent's need not all be the same size.

The fix here therefore removes both those assumptions. It allocates a
buffer that contains a set of pointers to dirent's, followed by the actual
dirent's. Furthermore it copies the individual dirent's based on their
actual dynamic size, not the static size of the struct. As an optimization
it makes use of popular, but non-posix-defined struct members where
available to efficiently determine the size, but falls back to the always
correct strlen() if these are not available.

A side effect of this is that this reduces the memory use quite
significantly in most cases.

Note: for the patch to apply cleanly, the previous patches in bugs
8463, 8464, and 8465 need to be applied first.