getdents() System Call

Question

I am trying to write a getdents() system call to list all the directories entries returned by a call to getdents(), but I am having a small problem that I can not seem to solve, not sure if this is a C error (since I am still learning it) or something with the call itself. When I print d_name of each struct, I am always missing the first letter of the directory/file.

Feb 13 11:39:04 node35 kernel: [  911.353033] entry: ootkit.c
Feb 13 11:39:04 node35 kernel: [  911.353035] entry: ootkit.mod.c
Feb 13 11:39:04 node35 kernel: [  911.353036] entry: ootkit.ko

The name of the files are rootkit.*

My code :

asmlinkage int new_getdents(unsigned int fd, struct linux_dirent64 *dirp, unsigned int     count)
{
    int nread;
    int bpos;
    struct linux_dirent64 *d;
    int (*orig_func)(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
    t_syscall_hook *open_hook;

    open_hook = find_syscall_hook(__NR_getdents);
    orig_func = (void*) open_hook->orig_func;

    nread = (*orig_func)(fd, dirp, count);
    d = dirp;

    for (bpos = 0; bpos < nread;) {
      d = (struct linux_dirent64 *) ((char*)dirp + bpos);
      printk(KERN_INFO "%s\n", d->d_name);
      bpos += d->d_reclen;
    }

    return nread;
}

Answer 1

My best guess is that you've mixed up the legacy and "64" versions of the getdents syscall. Even on 64-bit systems, there seems to be a legacy version (without the 64) that writes a structure lacking the d_type member (so the first character of the name would get misinterpreted as the d_type member if you're using the modern "64" version of the structure) in addition to the (correct) getdents64 syscall.