From owner-freebsd-bugs  Wed Apr 12 13:55:22 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id NAA24082
          for bugs-outgoing; Wed, 12 Apr 1995 13:55:22 -0700
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA24055
          for <bugs@FreeBSD.org>; Wed, 12 Apr 1995 13:54:42 -0700
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id GAA25937; Thu, 13 Apr 1995 06:52:28 +1000
Date: Thu, 13 Apr 1995 06:52:28 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199504122052.GAA25937@godzilla.zeta.org.au>
To: bugs@FreeBSD.org, craig@munich.gcomm.com
Subject: Re: seekdir bug
Sender: bugs-owner@FreeBSD.org
Precedence: bulk

>There is a bug when seeking through a directory.  telldir() seems to return
>a position in the directory that doesnt match the name of the file.  I've
>included a program that will exploit the bug.  I ran it as followed:

The man page says that "Values returned by telldir() are good only for
the lifetime of the DIR pointer, dirp, from which they are derived."
However, it also says that "It is safe to use a previous telldir() value
immediately after a call to opendir() and before any calls to
readdir()."  The second statement is now wrong because telldir() cookies
are reclaimed in closedir().  telldir() cookies are malloc()ed and (I
think) the memory for them used to be lost in closedir().

Bruce