fix: freebsd's xattr returns the number of bytes read

Stebalien · Stebalien · commit df9ee49ef08b · 2025-09-20T19:51:31.000-07:00
On linux, the xattr API returns the ERANGE if the result doesn't fit. On
FreeBSD, it returns the number of bytes read.

Previously, this wasn't an obvious issue because we always checked the
size before we read the attribute. It was still incorrect, but would
have required a race to trigger a bug.

Now, it's a more pressing issue because we try reading once with a
4KiB buffer before we check the size.

The fix is simple: make the target buffer 1 byte larger than it has to
be and make sure we always read less than the size of the buffer we
passed in.
diff --git a/src/sys/bsd.rs b/src/sys/bsd.rs
@@ -56,13 +56,18 @@ fn allocate_loop<F: Fn(*mut c_void, size_t) -> libc::ssize_t>(f: F) -> io::Resul
         |buf| unsafe {
             let (ptr, len) = slice_parts(buf);
             let new_len = cvt(f(ptr, len))?;
-            assert!(
-                new_len <= len,
-                "OS returned length {new_len} greater than buffer size {len}"
-            );
-            Ok(slice::from_raw_parts_mut(ptr.cast(), new_len))
+            if new_len < len {
+                Ok(slice::from_raw_parts_mut(ptr.cast(), new_len))
+            } else {
+                // If the length of the value isn't strictly smaller than the length of the value
+                // read, there may be more to read. Fake an ERANGE error so we can try again with a
+                // bigger buffer.
+                Err(io::Error::from_raw_os_error(crate::sys::ERANGE))
+            }
         },
-        || cvt(f(ptr::null_mut(), 0)),
+        // Estimate size + 1 because, on freebsd, the only way to tell if we've read the entire
+        // value is read a value smaller than the buffer we passed.
+        || Ok(cvt(f(ptr::null_mut(), 0))? + 1),
     )
 }
 
diff --git a/src/util.rs b/src/util.rs
@@ -42,7 +42,12 @@ where
                     );
                     vec.set_len(len);
                 }
-                vec.shrink_to_fit();
+                // Only shrink to fit if we've over-allocated by MORE than one byte. Unfortunately,
+                // on FreeBSD, we have to over-allocate by one byte to determine if we've read all
+                // the attributes.
+                if vec.capacity() > vec.len() + 1 {
+                    vec.shrink_to_fit();
+                }
                 return Ok(vec);
             }
             Err(e) if e.raw_os_error() != Some(crate::sys::ERANGE) => return Err(e),

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,12 @@ where`
`42`	`42`	`);`
`43`	`43`	`vec.set_len(len);`
`44`	`44`	`}`
`45`		`- vec.shrink_to_fit();`
	`45`	`+ // Only shrink to fit if we've over-allocated by MORE than one byte. Unfortunately,`
	`46`	`+ // on FreeBSD, we have to over-allocate by one byte to determine if we've read all`
	`47`	`+ // the attributes.`
	`48`	`+ if vec.capacity() > vec.len() + 1 {`
	`49`	`+ vec.shrink_to_fit();`
	`50`	`+ }`
`46`	`51`	`return Ok(vec);`
`47`	`52`	`}`
`48`	`53`	`Err(e) if e.raw_os_error() != Some(crate::sys::ERANGE) => return Err(e),`