Bug#720099: Warnings when building nzbget with gcc hardening flags

Wed, 21 Aug 2013 11:04:18 -0700 

Control: tags -1 upstream patch

(Copy of message sent to the author of nzbget)
Hi there,

Debian (and Ubuntu) use hardening flags to harden their binaries against
memory corruption attacks and get some useful warning messages during
compiles. One such warning, when building with -D_FORTIFY_SOURCE=2 [1]
is this:

> $ g++ -D_FORTIFY_SOURCE=2 -g -O2 -c -o RemoteClient.o RemoteClient.cpp
> In file included from /usr/include/string.h:638:0,
>                  from RemoteClient.cpp:36:
> In function ‘char* strncat(char*, const char*, size_t)’,
>     inlined from ‘bool RemoteClient::RequestServerList(bool, bool, const 
> char*)’ at RemoteClient.cpp:537:59:
> /usr/include/x86_64-linux-gnu/bits/string3.h:150:71: warning: call to char* 
> __builtin___strncat_chk(char*, const char*, long unsigned int, long unsigned 
> int) might overflow destination buffer [enabled by default]
>    return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
>                                                                        ^
> In function ‘char* strncat(char*, const char*, size_t)’,
>     inlined from ‘bool RemoteClient::RequestServerList(bool, bool, const 
> char*)’ at RemoteClient.cpp:539:60:
> /usr/include/x86_64-linux-gnu/bits/string3.h:150:71: warning: call to char* 
> __builtin___strncat_chk(char*, const char*, long unsigned int, long unsigned 
> int) might overflow destination buffer [enabled by default]
>    return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
>                                                                        ^
> In function ‘char* strncat(char*, const char*, size_t)’,
>     inlined from ‘bool RemoteClient::RequestServerList(bool, bool, const 
> char*)’ at RemoteClient.cpp:661:117:
> /usr/include/x86_64-linux-gnu/bits/string3.h:150:71: warning: call to char* 
> __builtin___strncat_chk(char*, const char*, long unsigned int, long unsigned 
> int) might overflow destination buffer [enabled by default]
>    return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
>                                                                        ^

My proposal to fix this is to use


> strncat(szParameters, pNZBParameter->GetName(), 
> sizeof(szParameters)-strlen(szParameters)-1);

instead of

> strncat(szParameters, pNZBParameter->GetName(), 1024);

I've attached a patch with those changes. Do you think that this is ok?

Cheers,
  Andreas

[1] https://wiki.debian.org/Hardening#gcc_-D_FORTIFY_SOURCE.3D2_-O1


--- RemoteClient.cpp.orig	2013-08-21 17:53:33.000000000 +0000
+++ RemoteClient.cpp	2013-08-21 17:48:38.000000000 +0000
@@ -534,9 +534,9 @@
 						strncat(szParameters, ", ", 1024);
 					}
 					NZBParameter* pNZBParameter = *it;
-					strncat(szParameters, pNZBParameter->GetName(), 1024);
-					strncat(szParameters, "=", 1024);
-					strncat(szParameters, pNZBParameter->GetValue(), 1024);
+					strncat(szParameters, pNZBParameter->GetName(), sizeof(szParameters)-strlen(szParameters)-1);
+					strncat(szParameters, "=", sizeof(szParameters)-strlen(szParameters)-1);
+					strncat(szParameters, pNZBParameter->GetValue(), sizeof(szParameters)-strlen(szParameters)-1);
 				}
 				if (szParameters[0] != '\0')
 				{
@@ -658,7 +658,7 @@
 
 	if (ntohl(ListResponse.m_iPostJobCount) > 0 || ntohl(ListResponse.m_bPostPaused))
 	{
-		strncat(szServerState, strlen(szServerState) > 0 ? ", Post-Processing" : "Post-Processing", sizeof(szServerState));
+		strncat(szServerState, strlen(szServerState) > 0 ? ", Post-Processing" : "Post-Processing", sizeof(szServerState)-strlen(szServerState)-1);
 		if (ntohl(ListResponse.m_bPostPaused))
 		{
 			strncat(szServerState, " paused", sizeof(szServerState));

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to