Dangerous usage of strncat, possible buffer overrun in file usb-darwin.c

Ettl Martin ettl.martin at gmx.de
Sun Aug 2 02:50:26 PDT 2009


> Hello all,
>
> i have checked the sources of cups with the static code analysis tool cppcheck. It found an issue in file usb-darwin.c and printed the following output:
>
>
> [cups-1.3.10/backend/usb-darwin.c:1039]: (all) Dangerous usage of strncat, possible buffer overrun
>
> Take a look at the code:
>
> static Boolean list_device_cb(void *refcon,
>                               io_service_t obj)
> {
> .....
>     if (deviceIDString != NULL)
>     {
>       CFStringRef make = NULL,  model = NULL, serial = NULL;
>       char uristr[1024], makestr[1024], modelstr[1024], serialstr[1024];
>       char optionsstr[1024], idstr[1024], make_modelstr[1024];
>
>  .....
> 1039  strncat(uristr, optionsstr, sizeof(uristr));
>
>  .....
>     }
>   }
> }
>
> strncat is wrong used here.strncat appends the sizeof(uristr) (here 1024) characters of optionsstr to uristr, plus a terminating null-character. If the length of the C string in source is less than num, only the content up to the terminating null-character is copied. So, this is a possible situation where a buffer overrun can happen.
>
> Reference:
> http://www.cplusplus.com/reference/clibrary/cstring/strncat/
>
>
> Best regards
>
> Ettl Martin
This a message from the cppcheck developpers, i am forwarding it because of the strncat issue above:


Hello!

I intended to reply to your message about the cups bug..
http://www.cups.org/newsgroups.php?s1+gcups.bugs+v3+T+Qettl

But login was required to do that so I send my reply in a email to you instead.

The third parameter to strncat do not limit the total size of the resulting string as the developer seem to think.
The third parameter limits the number of characters that are appended.

If uristr is not empty it causes a buffer overflow to append sizeof(uristr) characters.

This also made me see a problem with cppcheck.. the error message from cppcheck should be more descriptive.
I am open to suggestions if you have any.

Best regards,
Daniel






More information about the cups mailing list