simulavr-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Simulavr-devel] [bug #29049] wrong use of strncat()

From: Ilya Barygin
Subject: [Simulavr-devel] [bug #29049] wrong use of strncat()
Date: Wed, 03 Mar 2010 11:52:10 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8 
URL:
  <http://savannah.nongnu.org/bugs/?29049>

                 Summary: wrong use of strncat()
                 Project: Simulavr: an AVR simulator
            Submitted by: conscious
            Submitted on: Срд 03 Мар 2010 14:52:10
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: address@hidden
             Open/Closed: Open
         Discussion Lock: Any
       Component Version: simulavr

    _______________________________________________________

Details:

A rebuild of simulavr for Ubuntu Lucid detected a possible buffer overflow:

if i486-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I.    -Wall -Winline -Werror
-I../src/getopt -Wall -g -O2 -MT eeprom.o -MD -MP -MF ".deps/eeprom.Tpo" -c -o
eeprom.o eeprom.c; \
        then mv -f ".deps/eeprom.Tpo" ".deps/eeprom.Po"; else rm -f
".deps/eeprom.Tpo"; exit 1; fi
cc1: warnings being treated as errors
In file included from /usr/include/string.h:640,
                 from eeprom.c:30:
In function 'strncat',
    inlined from 'eeprom_dump_core' at eeprom.c:395:
/usr/include/bits/string3.h:154: error: call to __builtin___strncat_chk might
overflow destination buffer
make[4]: *** [eeprom.o] Error 1

This is due to wrong use of strncat(). The third parameter of this function
limits the number of characters copied, not the total size of buffer.

The proposed fix (applies to 0.1.2.6 as well) is:

--- simulavr-0.1.2.2.orig/src/eeprom.c
+++ simulavr-0.1.2.2/src/eeprom.c
@@ -392,7 +392,7 @@
             line[0] = '\0';
         }
         snprintf (buf, 80, "%02x ", storage_readb (eeprom->stor, i));
-        strncat (line, buf, 80);
+        strncat (line, buf, 80 - strlen(line) - 1);
     }
     if (dup > 0)
     {
--- simulavr-0.1.2.2.orig/src/memory.c
+++ simulavr-0.1.2.2/src/memory.c
@@ -416,7 +416,7 @@
             line[0] = '\0';
         }
         snprintf (buf, 80, "%02x ", mem_read (mem, i));
-        strncat (line, buf, 80);
+        strncat (line, buf, 80 - strlen(line) - 1);
     }
     if (dup > 0)
     {
--- simulavr-0.1.2.2.orig/src/flash.c
+++ simulavr-0.1.2.2/src/flash.c
@@ -252,7 +252,7 @@
             line[0] = '\0';
         }
         snprintf (buf, 80, "%04x ", flash_read (flash, i));
-        strncat (line, buf, 80);
+        strncat (line, buf, 80 - strlen(line) - 1);
     }
     if (dup > 0)
     {




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?29049>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]