This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix readdir_r with long file names
- From: Rich Felker <dalias at aerifal dot cx>
- To: Carlos O'Donell <carlos at redhat dot com>
- Cc: Florian Weimer <fweimer at redhat dot com>, KOSAKI Motohiro <kosaki dot motohiro at gmail dot com>, libc-alpha <libc-alpha at sourceware dot org>
- Date: Mon, 10 Jun 2013 21:13:24 -0400
- Subject: Re: [PATCH] Fix readdir_r with long file names
- References: <519B58EC dot 6060108 at redhat dot com> <51B0A2F9 dot 5060004 at redhat dot com> <51B0B39F dot 4060202 at redhat dot com> <51B0BD36 dot 3030202 at redhat dot com> <CAHGf_=r9Rz63pho+84ORk0a_oDyJSj-MCnZ56uPrT3L6sVEfeQ at mail dot gmail dot com> <20130607013024 dot GO29800 at brightrain dot aerifal dot cx> <51B19203 dot 3070307 at redhat dot com> <20130607144143 dot GQ29800 at brightrain dot aerifal dot cx> <51B57E35 dot 4080403 at redhat dot com> <51B65EA7 dot 2020402 at redhat dot com>
On Mon, Jun 10, 2013 at 07:17:59PM -0400, Carlos O'Donell wrote:
> On 06/10/2013 03:20 AM, Florian Weimer wrote:
> > On 06/07/2013 04:41 PM, Rich Felker wrote:
> >> Yes. I just disagree with recommending that portable applications
> >> use readdir_r (as discussed on the Austin Group tracker/list, it
> >> has major problems related to NAME_MAX not being mandatory) and
> >> with the idea (by someone else, not you) to add a readdir4 rather
> >> than just deprecating caller-provided buffers for reading
> >> directories. Those were the only things I was commenting on.
> >
> > Carlos, what do you think about this? I tend to agree with Rich here
> > and would like to back out this part of your suggestions again.
>
> I'm OK with backing out the recommendation of readdir_r as a portable
> alternative, but the text should instead say *why* readdir_r is not
> a good portable alternative. That is to say we should specifically
> dissuade the use if that's actually the truth.
I think the text should be informative and objective rather than
dogmatic. It should include the following information:
- On systems where NAME_MAX is not defined, readdir_r cannot be used
safely, as the interface contract for readdir_r is specified in
terms of NAME_MAX.
- On systems where NAME_MAX is defined but not enforced for all
filesystems, there may be directory entries whose names are readable
by readdir but not readdir_r, and attempts to read such names on
older versions of glibc may result in exploitable buffer overflows.
- Historically, POSIX does not require readdir to be thread-safe, but
on most (all?) known recent systems including glibc-based ones, it
is thread-safe as long as the same directory stream (DIR*) is not
accessed concurrently from multiple threads.
- Future versions of POSIX will mandate this level of thread-safety
for the readdir function and mark readdir_r obsolescent.
If this is deemed "too technical", perhaps someone could write a short
summary that expresses the tradeoffs between the two interfaces. It
would be especially useful to know if my "all?" above really is "all
recent systems" or even "all historical implementations", since it
would make the choice for application developers much more clear-cut.
Rich