The Samba-Bugzilla – Bug 8466
Fix bad assumption about dirent definition in dirsort plugin
Last modified: 2011-09-17 05:27:44 UTC
Created attachment 6904 [details]
Fix invalid assumption about dirent structure definition
The code assumed that dirent.d_name is statically defined as an array
large enough to hold the name. On Solaris this isn't the case: d_name
is defined as 'char d_name'. Posix also does not specify that the
static definition must be a full-sized array. The result is a major
buffer overflow on such systems.
One implication of this is that dirent's need not all be the same size.
The fix here therefore removes both those assumptions. It allocates a
buffer that contains a set of pointers to dirent's, followed by the actual
dirent's. Furthermore it copies the individual dirent's based on their
actual dynamic size, not the static size of the struct. As an optimization
it makes use of popular, but non-posix-defined struct members where
available to efficiently determine the size, but falls back to the always
correct strlen() if these are not available.
A side effect of this is that this reduces the memory use quite
significantly in most cases.
Note: for the patch to apply cleanly, the previous patches in bugs
8463, 8464, and 8465 need to be applied first.