[Mono-bugs] [Bug 82678][Maj] Changed - Mono_Posix_Syscall_readdir_r causes stack corruption in readdir_r, resulting in crash

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Sep 3 20:20:00 EDT 2007

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by jonpryor at vt.edu.


--- shadow/82678	2007-09-03 15:41:37.000000000 -0400
+++ shadow/82678.tmp.4770	2007-09-03 20:20:00.000000000 -0400
@@ -1,10 +1,10 @@
 Bug#: 82678
 Product: Mono: Class Libraries
 Version: 1.2
+OS: unknown
 OS Details: 
 Status: NEW   
 Severity: 002 Two hours
 Priority: Major
 Component: Mono.POSIX
@@ -103,6 +103,33 @@
 fix should use PATH_MAX (which I believe is POSIX mandated) and not pathconf().
 ------- Additional Comments From trisk+ximian at acm.jhu.edu  2007-09-03 15:41 -------
 Created an attachment (id=19954)
 Patch to fix readdir_r stack corruption and return value bug
+------- Additional Comments From jonpryor at vt.edu  2007-09-03 20:20 -------
+The failure to check *result after the readdir_r() call is a bug.
+I fail to see how using readdir_r() in the documented fashion is a
+bug, though.  If anything, it signals a bug in Solaris' libc, and a
+cursory Google search doesn't show any sources which would indicate
+that this is recommended practice.
+On the other hand, a cursory Google search *does* show that the
+attached implementation is flawed, as it allocates a char array buffer
+on the stack, which may not be properly aligned on the stack for
+`struct dirent'.  At minimum, either malloc(3) should be used or a
+double array should be used (as `double' usually has the most strict
+alignment on any platform).
+Furthermore, the patch is flawed 2048 may still be too small --
+considering that many filesystems are switching to unlimited length
+filenames.  Considering the previous paragraph (alignment), it would
+probably be better to use _PC_PATH_MAX with pathconf(3) to get the
+actual filesystem specific maximum length, add that to `sizeof(struct
+dirent)', and malloc(3) _that_ size.  (Though pathconf(3) may not have
+a value for _PC_PATH_MAX -- you'd have to check.)
+Is there any source indicating that the character array is the
+preferred approach, despite no mention of this "hack" from the actual
+Unix03 standard for readdir_r()?

More information about the mono-bugs mailing list