[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: report a warning
From: |
Hans-Bernhard Bröker |
Subject: |
Re: report a warning |
Date: |
Mon, 9 Jan 2023 19:35:42 +0100 |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 |
Am 09.01.2023 um 18:44 schrieb Gavin Smith:
There have long been compiler warnings about the use of strncat in
install-info.c but there isn't any indication that the code is actually
incorrect. This compiler warning seems to be completely bogus.
It's not. It warns about a practice that has often been used to avoid
another warning, while not actually achieving any improvement.
In a nutshell, strcat() itself has long since been frowned upon as a
highly likely source of buffer overflows, and has triggered complaints
from code checking tools and picky modes of modern compilers for quite a
while now. Many got into the habit of working around these warnings by
replacing
strcat(a, b);
with some equivalent of
size_t length_of_b = strlen(b);
/*...*/
strncat(a, b, length_of_b);
While this avoids literally calling strcat(), it offers no added safety
at all: in situations where that strcat() call blows up, the replacement
code behaves every bit as badly.
Modern compiler versions detect this code pattern and report it as the
silly thing it really is.
The real way the code could be improved is to avoid using strcat or
strncat altogether.
I disagree with that. IMHO the real solution should be to provide a
less silly value for the third argument of this strncat().
In other words the problem is not that this code is calling strncat().
It's that it doesn't even try to keep track of how much of the allocated
buffer *description it has used already, so it cannot know what the
third argument of strncat() has to be.
However, in the referenced line in this warning, it seems that strcat could
be used for exactly the same thing. I'm going to make this change
just so we stop getting reports.
That would most likely just exchange this warning for complaints from
source auditing tools (like clang's "scan-build").