[Python-Dev] cpython: Use strncat() instead of strcat() to silence some warnings.

[Antoine Pitrou]

On Sat, 20 Jul 2013 15:48:09 +0300
Serhiy Storchaka <storchaka at gmail.com> wrote:

> 20.07.13 15:36, Antoine Pitrou написав(ла):
> > On Sat, 20 Jul 2013 15:23:46 +0300
> > Serhiy Storchaka <storchaka at gmail.com> wrote:
> >> 20.07.13 15:12, christian.heimes написав(ла):
> >>> http://hg.python.org/cpython/rev/c92f4172d122
> >>> changeset:   84723:c92f4172d122
> >>> user:        Christian Heimes <christian at cheimes.de>
> >>> date:        Sat Jul 20 14:11:28 2013 +0200
> >>> summary:
> >>>     Use strncat() instead of strcat() to silence some warnings.
> >>> CID 486616, CID 486617, CID 486615
> >>>
> > [...]
> >>
> >> This will wrong when strlen(fname) is 30. strncat() will copy only 30
> >> bytes, without terminal NUL.
> >
> > So, for the record, this is roughly how Rasmus Lerdorf introduced a
> > security hole in PHP 5.3.7:
> >
> >
> > "For people asking me out-of-band what the screw-up was, it was pretty
> > simple. I changed this code:
> >
> > memcpy(passwd, MD5_MAGIC, MD5_MAGIC_LEN);
> > strlcpy(passwd + MD5_MAGIC_LEN, sp, sl + 1);
> > strcat(passwd, "$");
> >
> > to:
> >
> > memcpy(passwd, MD5_MAGIC, MD5_MAGIC_LEN);
> > strlcpy(passwd + MD5_MAGIC_LEN, sp, sl + 1);
> > strlcat(passwd, "$", 1);
> >
> > **because the Coverity static analyzer warned about using strcat**
> > [emphasis mine] and we generally try to avoid naked strcat/strcpy in the
> > codebase even though in this case it is safe to do."
> >
> > https://plus.google.com/113641248237520845183/posts/g68d9RvRA1i
> 
> strlcat != strncat. strlcat(dst, src, 1) actually do nothing.

This is true. But the trigger in the "fix" was the same (trying to
suppress a Coverity warning about strcat).

Regards

Antoine.