Dangerous usage of strncat, possible buffer overrun in file usb-darwin.c
Ettl Martin
ettl.martin at gmx.de
Tue Jun 30 14:13:26 PDT 2009
Hello all,
i have checked the sources of cups with the static code analysis tool cppcheck. It found an issue in file usb-darwin.c and printed the following output:
[cups-1.3.10/backend/usb-darwin.c:1039]: (all) Dangerous usage of strncat, possible buffer overrun
Take a look at the code:
static Boolean list_device_cb(void *refcon,
io_service_t obj)
{
.....
if (deviceIDString != NULL)
{
CFStringRef make = NULL, model = NULL, serial = NULL;
char uristr[1024], makestr[1024], modelstr[1024], serialstr[1024];
char optionsstr[1024], idstr[1024], make_modelstr[1024];
.....
1039 strncat(uristr, optionsstr, sizeof(uristr));
.....
}
}
}
strncat is wrong used here.strncat appends the sizeof(uristr) (here 1024) characters of optionsstr to uristr, plus a terminating null-character. If the length of the C string in source is less than num, only the content up to the terminating null-character is copied. So, this is a possible situation where a buffer overrun can happen.
Reference:
http://www.cplusplus.com/reference/clibrary/cstring/strncat/
Best regards
Ettl Martin
More information about the cups-devel
mailing list