From 4632228b35657b3be6c3560c591ba34c1161bf77 Mon Sep 17 00:00:00 2001
From: Peter Huene <peter@huene.dev>
Date: Thu, 28 Jan 2021 12:39:40 -0800
Subject: [PATCH 1/2] Fix `fd_readdir` to properly truncate directory entry
 names.

Previously, `fd_readdir` was truncating directory entry names based on the
calculation of `min(name_len, buf_len - bufused)`, but `bufused` was not being
updated after writing in the `dirent` structure to the buffer.

This allowed `bufused` to be incremented beyond `buf_len` and returned as the
number of bytes written to the buffer, which is invalid.

This fix adjusts `bufused` when the buffer is written to for the `dirent` so
that name truncation happens as expected.

Fixes #2618.
---
 crates/wasi-common/src/snapshots/wasi_snapshot_preview1.rs | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/crates/wasi-common/src/snapshots/wasi_snapshot_preview1.rs b/crates/wasi-common/src/snapshots/wasi_snapshot_preview1.rs
index 794be79c9fc6..7dc6c03ae718 100644
--- a/crates/wasi-common/src/snapshots/wasi_snapshot_preview1.rs
+++ b/crates/wasi-common/src/snapshots/wasi_snapshot_preview1.rs
@@ -304,7 +304,6 @@ impl<'a> WasiSnapshotPreview1 for WasiCtx {
             let dirent_len: types::Size = dirent_raw.len().try_into()?;
             let name_raw = name.as_bytes();
             let name_len = name_raw.len().try_into()?;
-            let offset = dirent_len.checked_add(name_len).ok_or(Error::Overflow)?;
 
             // Copy as many bytes of the dirent as we can, up to the end of the buffer.
             let dirent_copy_len = min(dirent_len, buf_len - bufused);
@@ -318,6 +317,7 @@ impl<'a> WasiSnapshotPreview1 for WasiCtx {
             }
 
             buf = buf.add(dirent_copy_len)?;
+            bufused += dirent_copy_len;
 
             // Copy as many bytes of the name as we can, up to the end of the buffer.
             let name_copy_len = min(name_len, buf_len - bufused);
@@ -331,8 +331,7 @@ impl<'a> WasiSnapshotPreview1 for WasiCtx {
             }
 
             buf = buf.add(name_copy_len)?;
-
-            bufused += offset;
+            bufused += name_copy_len;
         }
 
         Ok(bufused)

From 0502cadc62d3816fd1b5dd978209de3eda12c53a Mon Sep 17 00:00:00 2001
From: Peter Huene <peter@huene.dev>
Date: Thu, 28 Jan 2021 14:32:27 -0800
Subject: [PATCH 2/2] Stop allowing bufused > BUF_LEN in fd_readdir program.

This commit removes what appears to be a workaround to the bug being fixed by
the change in #2620.
---
 crates/test-programs/wasi-tests/src/bin/fd_readdir.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crates/test-programs/wasi-tests/src/bin/fd_readdir.rs b/crates/test-programs/wasi-tests/src/bin/fd_readdir.rs
index 903329b7443c..6a53a8ed1165 100644
--- a/crates/test-programs/wasi-tests/src/bin/fd_readdir.rs
+++ b/crates/test-programs/wasi-tests/src/bin/fd_readdir.rs
@@ -1,5 +1,5 @@
 use more_asserts::assert_gt;
-use std::{cmp::min, env, mem, process, slice, str};
+use std::{env, mem, process, slice, str};
 use wasi_tests::open_scratch_directory;
 
 const BUF_LEN: usize = 256;
@@ -59,7 +59,9 @@ unsafe fn exec_fd_readdir(fd: wasi::Fd, cookie: wasi::Dircookie) -> (Vec<DirEntr
     let bufused =
         wasi::fd_readdir(fd, buf.as_mut_ptr(), BUF_LEN, cookie).expect("failed fd_readdir");
 
-    let sl = slice::from_raw_parts(buf.as_ptr(), min(BUF_LEN, bufused));
+    assert!(bufused <= BUF_LEN);
+
+    let sl = slice::from_raw_parts(buf.as_ptr(), bufused);
     let dirs: Vec<_> = ReadDir::from_slice(sl).collect();
     let eof = bufused < BUF_LEN;
     (dirs, eof)