to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS-Studio license for Microsoft MVP specialists
** By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
** By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
** By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
On the Difference Between strlcat and s…

On the Difference Between strlcat and strncat

Jul 16 2019

While we are working hard on writing big articles on code check of the Haiku operating system, I'd like to give an example of an often found error with strncat function taken from that project. It might be useful for all the C and C++ developers to refresh their knowledge on this topic.

0640_strncat_strlcat/image1.png

Description of the Functions

The strncat function is used for string concatenation and has the following signature:

char *strncat(char *dest, const char *src, size_t n);

It adds not more than n symbols from the src string to the dest string however, the src string may not end with terminal null. There should be enough space in the dest string, otherwise, program behavior becomes unpredictable because of the buffer overflow for the function does not produce borders control.

The strlcat function is used for string concatenation and, compared to strncat function, it's safer to use one. The strlcat function has the following signature:

size_t strlcat(char *dst, const char *src, size_t size)

Unlike the other functions, it takes the whole buffer size and guarantees the presence of terminal symbol at the result. For the strlcat function proper operation, you need to transmit only null-terminated strings.

Bug in Haiku OS

V645 The 'strncat' function call could lead to the 'output' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. NamespaceDump.cpp 101

static void
dump_acpi_namespace(acpi_ns_device_info *device, char *root, int indenting)
{
  char result[255];
  char output[320];
  char tabs[255] = "";
  char hid[16] = "";
  int i;
  size_t written = 0;
  for (i = 0; i < indenting; i++)
    strlcat(tabs, "|    ", sizeof(tabs));

  strlcat(tabs, "|--- ", sizeof(tabs));
  ....
  void *counter = NULL;
  while (....) {
    uint32 type = device->acpi->get_object_type(result);
    snprintf(output, sizeof(output), "%s%s", tabs, result + depth);
    switch(type) {
      case ACPI_TYPE_INTEGER:
        strncat(output, "     INTEGER", sizeof(output));
        break;
      case ACPI_TYPE_STRING:
        strncat(output, "     STRING", sizeof(output));
        break;
      case ACPI_TYPE_BUFFER:
        strncat(output, "     BUFFER", sizeof(output));
        break;
      case ACPI_TYPE_PACKAGE:
        strncat(output, "     PACKAGE", sizeof(output));
        break;
      ....
      case ACPI_TYPE_MUTEX:
        strncat(output, "     MUTEX", sizeof(output));
        break;
      case ACPI_TYPE_REGION:
        strncat(output, "     REGION", sizeof(output));
        break;
      case ACPI_TYPE_POWER:
        strncat(output, "     POWER", sizeof(output));
        break;
      case ACPI_TYPE_PROCESSOR:
        strncat(output, "     PROCESSOR", sizeof(output));
        break;
      case ACPI_TYPE_THERMAL:
        strncat(output, "     THERMAL", sizeof(output));
        break;
      case ACPI_TYPE_BUFFER_FIELD:
        strncat(output, "     BUFFER_FIELD", sizeof(output));
        break;
      case ACPI_TYPE_ANY:
      default:
        break;
    }
    ....
  }
  ....
}

The analyzer detected the mixed code consisting of strlcat and strncat functions calls. However, the strlcat function calls are correct:

char tabs[255] = "";
....
strlcat(tabs, "|--- ", sizeof(tabs));

they transmit null-terminated string and the whole buffer size.

At the same time, multiple strncat calls in a loop are false and may lead to an error:

char output[320];
....
strncat(output, "     INTEGER", sizeof(output));

A program may operate sustainably for a long time if short strings entry the function but the buffer limit may be exceeded quickly in the loop.

P.S.

We have already sent the report to the Haiku OS developers without waiting for the major big articles to be published, and they have already begun fixing the bugs: https://git.haiku-os.org/haiku/log/?qt=grep&q=pvs

Popular related articles
C++ subtleties: so, you've declared a class...

Date: Feb 07 2023

Author: Sergey Larin

Our team constantly encounters some C++ features that may be unknown to some developers. In this article, we're going to learn how a seemingly typical feature — class forward declarations — works.
Under the hood of SAST: how code analysis tools look for security flaws

Date: Jan 26 2023

Author: Sergey Vasiliev

Here we'll discuss how SAST solutions find security flaws. I'll tell you about different and complementary approaches to detecting potential vulnerabilities, explain why each of them is necessary, an…
Is there life without RTTI or How we wrote our own dynamic_cast

Date: Oct 13 2022

Author: Vladislav Stolyarov

There aren't many things left in modern C++ that don't fit the "Don't pay for what you don't use" paradigm. One of them is dynamic_cast. In this article, we'll find out what's wrong with it, and afte…
Why do arrays have to be deleted via delete[] in C++

Date: Jul 27 2022

Author: Mikhail Gelvih

This note is for C++ beginner programmers who are wondering why everyone keeps telling them to use delete[] for arrays. But, instead of a clear explanation, senior developers just keep hiding behind …
Intermodular analysis of C and C++ projects in detail. Part 2

Date: Jul 14 2022

Author: Oleg Lisiy

In part 1 we discussed the basics of C and C++ projects compiling. We also talked over linking and optimizations. In part 2 we are going to delve deeper into intermodular analysis and discuss its ano…


Comments (0)

Next comments next comments
close comment form
Unicorn with delicious cookie
Our website uses cookies to enhance your browsing experience.
Accept