To get a trial key
fill out the form below
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
** By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
** By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
** By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at

If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

On the Difference Between strlcat and s…

On the Difference Between strlcat and strncat

Jul 16 2019

While we are working hard on writing big articles on code check of the Haiku operating system, I'd like to give an example of an often found error with strncat function taken from that project. It might be useful for all the C and C++ developers to refresh their knowledge on this topic.


Description of the Functions

The strncat function is used for string concatenation and has the following signature:

char *strncat(char *dest, const char *src, size_t n);

It adds not more than n symbols from the src string to the dest string however, the src string may not end with terminal null. There should be enough space in the dest string, otherwise, program behavior becomes unpredictable because of the buffer overflow for the function does not produce borders control.

The strlcat function is used for string concatenation and, compared to strncat function, it's safer to use one. The strlcat function has the following signature:

size_t strlcat(char *dst, const char *src, size_t size)

Unlike the other functions, it takes the whole buffer size and guarantees the presence of terminal symbol at the result. For the strlcat function proper operation, you need to transmit only null-terminated strings.

Bug in Haiku OS

V645 The 'strncat' function call could lead to the 'output' buffer overflow. The bounds should not contain the size of the buffer, but a number of characters it can hold. NamespaceDump.cpp 101

static void
dump_acpi_namespace(acpi_ns_device_info *device, char *root, int indenting)
  char result[255];
  char output[320];
  char tabs[255] = "";
  char hid[16] = "";
  int i;
  size_t written = 0;
  for (i = 0; i < indenting; i++)
    strlcat(tabs, "|    ", sizeof(tabs));

  strlcat(tabs, "|--- ", sizeof(tabs));
  void *counter = NULL;
  while (....) {
    uint32 type = device->acpi->get_object_type(result);
    snprintf(output, sizeof(output), "%s%s", tabs, result + depth);
    switch(type) {
        strncat(output, "     INTEGER", sizeof(output));
      case ACPI_TYPE_STRING:
        strncat(output, "     STRING", sizeof(output));
      case ACPI_TYPE_BUFFER:
        strncat(output, "     BUFFER", sizeof(output));
        strncat(output, "     PACKAGE", sizeof(output));
      case ACPI_TYPE_MUTEX:
        strncat(output, "     MUTEX", sizeof(output));
      case ACPI_TYPE_REGION:
        strncat(output, "     REGION", sizeof(output));
      case ACPI_TYPE_POWER:
        strncat(output, "     POWER", sizeof(output));
        strncat(output, "     PROCESSOR", sizeof(output));
        strncat(output, "     THERMAL", sizeof(output));
        strncat(output, "     BUFFER_FIELD", sizeof(output));
      case ACPI_TYPE_ANY:

The analyzer detected the mixed code consisting of strlcat and strncat functions calls. However, the strlcat function calls are correct:

char tabs[255] = "";
strlcat(tabs, "|--- ", sizeof(tabs));

they transmit null-terminated string and the whole buffer size.

At the same time, multiple strncat calls in a loop are false and may lead to an error:

char output[320];
strncat(output, "     INTEGER", sizeof(output));

A program may operate sustainably for a long time if short strings entry the function but the buffer limit may be exceeded quickly in the loop.


We have already sent the report to the Haiku OS developers without waiting for the major big articles to be published, and they have already begun fixing the bugs:

Popular related articles
Is there life without RTTI or How we wrote our own dynamic_cast

Date: Oct 13 2022

Author: Vladislav Stolyarov

There aren't many things left in modern C++ that don't fit the "Don't pay for what you don't use" paradigm. One of them is dynamic_cast. In this article, we'll find out what's wrong with it, and afte…
"Our legacy of the past" or why we divided the V512

Date: Aug 12 2022

Author: Mikhail Gelvih

As the saying goes, the first step is always the hardest. That's exactly what happened in our case – after delaying it for so long, we have finally split the V512 diagnostic rule. You can read more a…
Why do arrays have to be deleted via delete[] in C++

Date: Jul 27 2022

Author: Mikhail Gelvih

This note is for C++ beginner programmers who are wondering why everyone keeps telling them to use delete[] for arrays. But, instead of a clear explanation, senior developers just keep hiding behind …
Intermodular analysis of C and C++ projects in detail. Part 2

Date: Jul 14 2022

Author: Oleg Lisiy

In part 1 we discussed the basics of C and C++ projects compiling. We also talked over linking and optimizations. In part 2 we are going to delve deeper into intermodular analysis and discuss its ano…
Intermodular analysis of C and C++ projects in detail. Part 1

Date: Jul 08 2022

Author: Oleg Lisiy

Starting from PVS-Studio 7.14, the C and C++ analyzer has been supporting intermodular analysis. In this two-part article, we'll describe how similar mechanisms are arranged in compilers and reveal s…

Comments (0)

Next comments
Unicorn with delicious cookie
Our website uses cookies to enhance your browsing experience.