Dangerous usage of strncat, possible buffer overrun in file usb-darwin.c

Ettl Martin ettl.martin at gmx.de
Tue Jun 30 14:13:26 PDT 2009


Hello all,

i have checked the sources of cups with the static code analysis tool cppcheck. It found an issue in file usb-darwin.c and printed the following output:


[cups-1.3.10/backend/usb-darwin.c:1039]: (all) Dangerous usage of strncat, possible buffer overrun

Take a look at the code:

static Boolean list_device_cb(void *refcon,
			      io_service_t obj)
{
.....
    if (deviceIDString != NULL)
    {
      CFStringRef make = NULL,  model = NULL, serial = NULL;
      char uristr[1024], makestr[1024], modelstr[1024], serialstr[1024];
      char optionsstr[1024], idstr[1024], make_modelstr[1024];

 .....
1039  strncat(uristr, optionsstr, sizeof(uristr));

 .....
    }
  }
}

strncat is wrong used here.strncat appends the sizeof(uristr) (here 1024) characters of optionsstr to uristr, plus a terminating null-character. If the length of the C string in source is less than num, only the content up to the terminating null-character is copied. So, this is a possible situation where a buffer overrun can happen.

Reference:
http://www.cplusplus.com/reference/clibrary/cstring/strncat/


Best regards

Ettl Martin






More information about the cups-devel mailing list