Ubuntu
glibc package

  1. Bug #392501
  2. Comment #14

Comment 14 for bug 392501

Revision history for this message
In , Kees Cook (kees) wrote :

Created attachment 4638
test.c

This reports the reclen coming from the dirp->data. sysdeps/unix/readdir_r.c:

      bytes = __GETDENTS (dirp->fd, dirp->data, maxread);
...
      dp = (DIRENT_TYPE *) &dirp->data[dirp->offset];
...
      reclen = dp->d_reclen;
...
    *result = memcpy (entry, dp, reclen);

It seems that the memcpy is what overflows. I wonder if adding an
"assert(sizeof(*entry) >= reclen)" should be added in here for fun, too.