From owner-freebsd-bugs@FreeBSD.ORG Sat Sep 5 23:00:16 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C42A010656B8 for ; Sat, 5 Sep 2009 23:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 42D038FC1F for ; Sat, 5 Sep 2009 23:00:13 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n85N0Du1049471 for ; Sat, 5 Sep 2009 23:00:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n85N0DTO049470; Sat, 5 Sep 2009 23:00:13 GMT (envelope-from gnats) Resent-Date: Sat, 5 Sep 2009 23:00:13 GMT Resent-Message-Id: <200909052300.n85N0DTO049470@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dmytro Gorbunov Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EABC1065679 for ; Sat, 5 Sep 2009 22:50:06 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id F17F98FC14 for ; Sat, 5 Sep 2009 22:50:05 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n85Mo55J070254 for ; Sat, 5 Sep 2009 22:50:05 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n85Mo5tI070253; Sat, 5 Sep 2009 22:50:05 GMT (envelope-from nobody) Message-Id: <200909052250.n85Mo5tI070253@www.freebsd.org> Date: Sat, 5 Sep 2009 22:50:05 GMT From: Dmytro Gorbunov To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/138560: Incorrect usage of strncpy function X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Sep 2009 23:00:16 -0000 >Number: 138560 >Category: bin >Synopsis: Incorrect usage of strncpy function >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Sep 05 23:00:12 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Dmytro Gorbunov >Release: 7.2 >Organization: Savesources.com >Environment: >Description: Dear sir/madam, I've found a few issues in FreeBSD's sources related to incorrect usages of strncpy function. For example ./sbin/ifconfig/ifieee80211.c: 2414 static void 2415 list_capabilities(int s) 2416 { 2417 struct ieee80211req ireq; 2418 u_int32_t caps; 2419 2420 (void) memset(&ireq, 0, sizeof(ireq)); 2421 (void) strncpy(ireq.i_name, name, sizeof(ireq.i_name)); So, ireq.i_name can become non-zero-terminated. Correct line in this case is 2421 (void) strncpy(ireq.i_name, name, sizeof(ireq.i_name)-1); There are a lot of such problems in code, next example is the following ./contrib/wpa_supplicant/preauth_test.c 278 os_strncpy(wpa_s->ifname, ifname, sizeof(wpa_s->ifname)); 279 wpa_sm_set_ifname(wpa_s->wpa, wpa_s->ifname, NULL); 280 281 l2 = l2_packet_init(wpa_s->ifname, NULL, ETH_P_RSN_PREAUTH, NULL, Correct variant is 278 os_strncpy(wpa_s->ifname, ifname, sizeof(wpa_s->ifname) - 1); 279 wpa_s->ifname[sizeof(wpa_s->ifname) - 1] = '\0'; These issues were found in scope of my project for preventing issue in software written in C/C++ http://savesources.com Please contact me if you have any ideas/suggestions/questions. Best regards, Dmytro Gorbunov Leader of savesources.com >How-To-Repeat: Please look at the description >Fix: it also mentioned in the description >Release-Note: >Audit-Trail: >Unformatted: