Bug 8466 - Fix bad assumption about dirent definition in dirsort plugin
Summary: Fix bad assumption about dirent definition in dirsort plugin
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.9.4
Hardware: All Solaris
: P5 normal (vote)
Target Milestone: 4.9
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-09-17 05:27 UTC by (account disabled)
Modified: 2018-12-27 22:50 UTC (History)
1 user (show)

See Also:

Fix invalid assumption about dirent structure definition (7.06 KB, patch)
2011-09-17 05:27 UTC, (account disabled)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description (account disabled) 2011-09-17 05:27:44 UTC
Created attachment 6904 [details]
Fix invalid assumption about dirent structure definition

The code assumed that dirent.d_name is statically defined as an array
large enough to hold the name. On Solaris this isn't the case: d_name
is defined as 'char d_name[1]'. Posix also does not specify that the
static definition must be a full-sized array. The result is a major
buffer overflow on such systems.

One implication of this is that dirent's need not all be the same size.

The fix here therefore removes both those assumptions. It allocates a
buffer that contains a set of pointers to dirent's, followed by the actual
dirent's. Furthermore it copies the individual dirent's based on their
actual dynamic size, not the static size of the struct. As an optimization
it makes use of popular, but non-posix-defined struct members where
available to efficiently determine the size, but falls back to the always
correct strlen() if these are not available.

A side effect of this is that this reduces the memory use quite
significantly in most cases.

Note: for the patch to apply cleanly, the previous patches in bugs
8463, 8464, and 8465 need to be applied first.
Comment 1 Björn Jacke 2018-12-27 22:50:01 UTC
this is still unfixed and needs fixing.