#58 friendsd.c: 2 * bad strncpy

gpsdrive-2.11
closed-fixed
Hamish B
source code (4)
5
2011-12-11
2011-12-11
dcb
No

I just tried to compile gpsdrive-2.11 with compiler flag -D_FORTIFY_SOURCE=2.

It noticed

1.

In function 'strncpy',
inlined from 'dg_echo' at /home/dcb/rpmbuild/BUILD/gpsdrive-2.11/src/friendsd.c:229:16:
/usr/include/bits/string3.h:121:3: warning: call to __builtin___strncpy_chk will always overflow destination buffer [enabled by default]

The source code is

strncpy ((list +
i)->txt,
mesg,
MAXMESG - 1);

Suggest new code
strncpy ((list +
i)->txt,
mesg,
1024);

2.

In function 'strncpy',
inlined from 'dg_echo' at /home/dcb/rpmbuild/BUILD/gpsdrive-2.11/src/friendsd.c:245:15:
/usr/include/bits/string3.h:121:3: warning: call to __builtin___strncpy_chk will always overflow destination buffer [enabled by default]

Source code is

strncpy ((list + i)->txt,
mesg, MAXMESG - 1);

Suggest new code

strncpy ((list + i)->txt,
mesg, 1024);

Discussion

  • Hamish B

    Hamish B - 2011-12-11

    how about this solution:

    Index: src/friendsd.c

    --- src/friendsd.c (revision 2597)
    +++ src/friendsd.c (working copy)
    @@ -170,7 +170,7 @@
    struct
    {
    char id[31];
    - char txt[1024];
    + char txt[MAXMESG];
    long int times;
    } *list;

    ?,
    Hamish

     
  • dcb

    dcb - 2011-12-11

    That's a possible solution, but it seems overkill to vastly increase
    the size of a data structure for all users everywhere, just because
    a couple of lines of code are in error.

    Unless it is useful to have a much bigger text buffer ?

     
  • Hamish B

    Hamish B - 2011-12-11
    • assigned_to: nobody --> hbowman
    • status: open --> closed-fixed
     
  • Hamish B

    Hamish B - 2011-12-11

    but it's the right thing to do: the txt[1024] was in error. Worst case is 4mb RAM used, a typical case will me more like 20-80kb used. I can live with that.

    done in r2599.

    thanks,
    Hamish

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks