[Bug c/93636] Incorrect diagnostic of a potential string overflow in strncat

msebor at gcc dot gnu.org Sun, 09 Feb 2020 14:58:52 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93636


Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |diagnostic
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |msebor at gcc dot gnu.org
         Resolution|---                         |INVALID

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
The warning is intentional.  The expected use of the strncat function is to
limit the output to the space in the destination, not to the length source
(using strncat the way the test case in comment #0 does is the same as strcat).
 The latter use is a common source of buffer overflow bugs that the warning is
designed to help avoid.

The articles below provide additional background:
https://developers.redhat.com/blog/2018/05/24/detecting-string-truncation-with-gcc-8/
https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/strncpy-and-strncat.

[Bug c/93636] Incorrect diagnostic of a potential string overflow in strncat

Reply via email to