| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <228939283.20051101141205@SECURITY.NNOV.RU>
Date: Tue Nov 1 11:12:13 2005
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: readdir_r considered harmful
Dear Ben Hutchings,
If someone uses pathconf to determine buffer size it's his own problem
and he creates vulnerability by himself. You can list such applications
as vulnerable to race conditions.
Recommended (according to POSIX) way is to use NAME_MAX:
buf = (struct dirent *)malloc( offsetof(struct dirent, d_name) +
NAME_MAX + 1))
See: The GNU C Library Reference Manual Chapter 14
and also POSIX standard itself says:
The storage pointed to by entry shall be large enough for a dirent
with an array of char d_name members containing at least
{NAME_MAX}+1 elements.
See:
http://www.opengroup.org/onlinepubs/009695399/functions/readdir.html
NAME_MAX is defined in limits.h and should be 255 according to latest
POSIX extension. I see no problem with POSIX standard in this case.
See:
http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html
--Tuesday, November 1, 2005, 6:57:03 AM, you wrote to bugtraq@...urityfocus.com:
BH> readdir_r considered harmful
BH> ============================
BH> if ((dir = opendir(argv[1]))
BH> && (name_max = pathconf(argv[1], _PC_NAME_MAX)) > 0
BH> && (buf = (struct dirent *)malloc(
BH> offsetof(struct dirent, d_name) + name_max + 1))
--
~/ZARAZA
http://www.security.nnov.ru/
Powered by blists - more mailing lists