This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix readdir_r with long file names
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Rich Felker <dalias at aerifal dot cx>
- Cc: Florian Weimer <fweimer at redhat dot com>, KOSAKI Motohiro <kosaki dot motohiro at gmail dot com>, libc-alpha <libc-alpha at sourceware dot org>
- Date: Mon, 10 Jun 2013 22:22:08 -0400
- Subject: Re: [PATCH] Fix readdir_r with long file names
- References: <519B58EC dot 6060108 at redhat dot com> <51B0A2F9 dot 5060004 at redhat dot com> <51B0B39F dot 4060202 at redhat dot com> <51B0BD36 dot 3030202 at redhat dot com> <CAHGf_=r9Rz63pho+84ORk0a_oDyJSj-MCnZ56uPrT3L6sVEfeQ at mail dot gmail dot com> <20130607013024 dot GO29800 at brightrain dot aerifal dot cx> <51B19203 dot 3070307 at redhat dot com> <20130607144143 dot GQ29800 at brightrain dot aerifal dot cx> <51B57E35 dot 4080403 at redhat dot com> <51B65EA7 dot 2020402 at redhat dot com> <20130611011324 dot GT29800 at brightrain dot aerifal dot cx>
On 06/10/2013 09:13 PM, Rich Felker wrote:
> On Mon, Jun 10, 2013 at 07:17:59PM -0400, Carlos O'Donell wrote:
>> On 06/10/2013 03:20 AM, Florian Weimer wrote:
>>> On 06/07/2013 04:41 PM, Rich Felker wrote:
>>>> Yes. I just disagree with recommending that portable applications
>>>> use readdir_r (as discussed on the Austin Group tracker/list, it
>>>> has major problems related to NAME_MAX not being mandatory) and
>>>> with the idea (by someone else, not you) to add a readdir4 rather
>>>> than just deprecating caller-provided buffers for reading
>>>> directories. Those were the only things I was commenting on.
>>>
>>> Carlos, what do you think about this? I tend to agree with Rich here
>>> and would like to back out this part of your suggestions again.
>>
>> I'm OK with backing out the recommendation of readdir_r as a portable
>> alternative, but the text should instead say *why* readdir_r is not
>> a good portable alternative. That is to say we should specifically
>> dissuade the use if that's actually the truth.
>
> I think the text should be informative and objective rather than
> dogmatic. It should include the following information:
>
> - On systems where NAME_MAX is not defined, readdir_r cannot be used
> safely, as the interface contract for readdir_r is specified in
> terms of NAME_MAX.
>
> - On systems where NAME_MAX is defined but not enforced for all
> filesystems, there may be directory entries whose names are readable
> by readdir but not readdir_r, and attempts to read such names on
> older versions of glibc may result in exploitable buffer overflows.
>
> - Historically, POSIX does not require readdir to be thread-safe, but
> on most (all?) known recent systems including glibc-based ones, it
> is thread-safe as long as the same directory stream (DIR*) is not
> accessed concurrently from multiple threads.
>
> - Future versions of POSIX will mandate this level of thread-safety
> for the readdir function and mark readdir_r obsolescent.
>
> If this is deemed "too technical", perhaps someone could write a short
> summary that expresses the tradeoffs between the two interfaces. It
> would be especially useful to know if my "all?" above really is "all
> recent systems" or even "all historical implementations", since it
> would make the choice for application developers much more clear-cut.
I don't think it's too technical for a manual.
I can't comment on the "all?" bit, but I can say that you would be
safe simply saying that @theglibc does provide a thread-safe
implementation.
Cheers,
Carlos.