Dangerous usage of strncat, possible buffer overrun in file usb-darwin.c

Ettl Martin ettl.martin at gmx.de
Tue Jun 30 15:04:09 PDT 2009

Hello all,

i have checked the sources of cups with the static code analysis tool cppcheck. It found an issue in file usb-darwin.c and printed the following output:

[cups-1.3.10/backend/usb-darwin.c:1039]: (all) Dangerous usage of strncat, possible buffer overrun

Take a look at the code:

static Boolean list_device_cb(void *refcon,
                              io_service_t obj)
    if (deviceIDString != NULL)
      CFStringRef make = NULL,  model = NULL, serial = NULL;
      char uristr[1024], makestr[1024], modelstr[1024], serialstr[1024];
      char optionsstr[1024], idstr[1024], make_modelstr[1024];

1039  strncat(uristr, optionsstr, sizeof(uristr));


strncat is wrong used here.strncat appends the sizeof(uristr) (here 1024) characters of optionsstr to uristr, plus a terminating null-character. If the length of the C string in source is less than num, only the content up to the terminating null-character is copied. So, this is a possible situation where a buffer overrun can happen.


Best regards

Ettl Martin

More information about the cups mailing list