[OpenWrt-Devel] [PATCH] use strncpy instead of strcpy

Khem Raj raj.khem at gmail.com
Wed Dec 25 10:46:20 EST 2019


On Wed, Dec 25, 2019 at 1:48 AM Petr Štetiar <ynezz at true.cz> wrote:

> Khem Raj <raj.khem at gmail.com> [2019-12-24 14:15:26]:
>
> > On Tue, Dec 24, 2019 at 1:51 PM Petr Štetiar <ynezz at true.cz> wrote:
> >
> > > Khem Raj <raj.khem at gmail.com> [2019-12-24 10:02:13]:
> > >
> > > Hi,
> > >
> > > use "PATCH libubox" subject prefix, because there is no blobmsg.c file
> in
> > > the
> > > main tree.
> > >
> > > > Fixes error: '__builtin_strcpy' offset 6 from the object at 'attr' is
> > > out of
> > > > the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka
> > > > 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
>
> What about following fix[1]? The target hdr->name buffer has already the
> terminating 0 included as blobmsg_hdrlen has strlen+1 and blob_new()
> memsets
> the buffer to 0.
>
> 1.
> https://gitlab.com/ynezz/openwrt-libubox/commit/3775b3aa28de8c20d96b6f02786a327423b0748a
>
> From 3775b3aa28de8c20d96b6f02786a327423b0748a Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz at true.cz>
> Date: Wed, 25 Dec 2019 10:27:59 +0100
> Subject: [PATCH] blobmsg: fix array out of bounds GCC 10 warning
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> Fixes following warning reported by GCC 10.0.0 20191203:
>
>  blobmsg.c:234:2: error: 'strcpy' offset 6 from the object at 'attr' is
> out of
> the bounds of referenced subobject 'name' with type 'uint8_t[0]' {aka
> 'unsigned char[0]'} at offset 6 [-Werror=array-bounds]
>    234 |  strcpy((char *) hdr->name, (const char *)name);
>        |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>  In file included from blobmsg.c:16:
>  blobmsg.h:42:10: note: subobject 'name' declared here
>     42 |  uint8_t name[];
>        |          ^~~~
>
> Reported-by: Khem Raj <raj.khem at gmail.com>
> Signed-off-by: Petr Štetiar <ynezz at true.cz>
> ---
>  blobmsg.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/blobmsg.c b/blobmsg.c
> index 48dba8156d58..ef68d8ae59f7 100644
> --- a/blobmsg.c
> +++ b/blobmsg.c
> @@ -240,7 +240,7 @@ blobmsg_new(struct blob_buf *buf, int type, const char
> *name, int payload_len, v
>         attr->id_len |= be32_to_cpu(BLOB_ATTR_EXTENDED);
>         hdr = blob_data(attr);
>         hdr->namelen = cpu_to_be16(namelen);
> -       strcpy((char *) hdr->name, (const char *)name);
> +       memcpy(hdr->name, name, namelen);


Yes if we are sure about terminating null then memcpy works too


>         pad_end = *data = blobmsg_data(attr);
>         pad_start = (char *) &hdr->name[namelen];
>         if (pad_start < pad_end)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20191225/3f627271/attachment.htm>


More information about the openwrt-devel mailing list