From c52e45ed972c6935605d59fc428a513d9cb1ac24 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Sun, 8 Feb 2015 07:54:16 -0800 Subject: ril.cpp: fix misuse of strncat strncat(dest,src,size) appends size+1 bytes to the end of dest, so sizeof(dest) must be greater than strlen(dest) + size + 1. Passing the buffer size to strncat instead of sizeof(dest) - strlen(dest) - 1 is a common strncat bug. Use strlcat instead, as it has more intuitive behavior and ensures the buffer is properly null terminated. Addresses the following compiler warning: In file included from system/core/include/cutils/sockets.h:22:0, from hardware/ril/libril/ril.cpp:24: In function 'char* strncat(char*, const char*, size_t)', inlined from 'void android::RIL_register(const RIL_RadioFunctions*)' at hardware/ril/libril/ril.cpp:4258:62: bionic/libc/include/string.h:199:61: warning: call to char* __builtin___strncat_chk(char*, const char*, unsigned int, unsigned int) might overflow destination buffer return __builtin___strncat_chk(dest, src, n, __bos(dest)); ^ (line numbers are from internal master and do not match AOSP) Even with this change, this code feels weird. MAX_DEBUG_SOCKET_NAME_LENGTH is 12, and rildebug is initialized to be SOCKET_NAME_RIL_DEBUG ("rild-debug"), which is 11 bytes including null terminator. The strlcat call here can append a maximum of 1 byte before the buffer is full. I don't know if this is intended or not. Change-Id: I49801ad1ea3aa6173bbc9fd7cf00f3d308693253 --- libril/ril.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libril/ril.cpp b/libril/ril.cpp index bfdeea5..86127c4 100644 --- a/libril/ril.cpp +++ b/libril/ril.cpp @@ -4013,7 +4013,7 @@ RIL_register (const RIL_RadioFunctions *callbacks) { char rildebug[MAX_DEBUG_SOCKET_NAME_LENGTH] = SOCKET_NAME_RIL_DEBUG; if (inst != NULL) { - strncat(rildebug, inst, MAX_DEBUG_SOCKET_NAME_LENGTH); + strlcat(rildebug, inst, MAX_DEBUG_SOCKET_NAME_LENGTH); } s_fdDebug = android_get_control_socket(rildebug); -- cgit v1.2.3