From af7e0458c618ac8d34e7e7586562dd64f2fe3a5f Mon Sep 17 00:00:00 2001 From: mager-m Date: Wed, 9 Jun 2021 23:35:33 +0200 Subject: [PATCH] Fixed memory allocation for `struct dirent` While porting clixon to the RTOS Blackberry QNX there was memory corruption while reading the yang models from the disk. Debugging led to the function `clicon_file_dirent` in `clixon_file.c` in which the `struct dirent` is copied into an array. According to the UNIX `struct dirent` [documentation](https://man7.org/linux/man-pages/man0/dirent.h.0p.html): > The name of an array of char of an unspecified size should not be > used as an lvalue. Use of: > > sizeof(d_name) > > is incorrect; use: > > strlen(d_name) > > instead. I adjusted the memory allocation to take the `strlen(dent->d_name)` into account. --- lib/src/clixon_file.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/src/clixon_file.c b/lib/src/clixon_file.c index 3e3912e9..c31a0e7a 100644 --- a/lib/src/clixon_file.c +++ b/lib/src/clixon_file.c @@ -50,7 +50,8 @@ #include #include #include - +#include + /* cligen */ #include @@ -103,6 +104,7 @@ clicon_file_dirent(const char *dir, DIR *dirp; int res; int nent; + int direntStructSize; regex_t re; char errbuf[128]; char filename[MAXPATHLEN]; @@ -143,12 +145,13 @@ clicon_file_dirent(const char *dir, if ((type & st.st_mode) == 0) continue; } - if ((tmp = realloc(new, (nent+1)*sizeof(*dvecp))) == NULL) { + direntStructSize = offsetof(struct dirent, d_name) + strlen(dent->d_name) + 1; + if ((tmp = realloc(new, (nent+1)*direntStructSize)) == NULL) { clicon_err(OE_UNIX, errno, "realloc"); goto quit; } new = tmp; - memcpy(&new[nent], dent, sizeof(*dent)); + memcpy(&new[nent], dent, direntStructSize); nent++; } /* while */