Re: [-Wstringop-overflow=] strncat(3)

public inbox for gcc@gcc.gnu.org
 help / color / mirror / Atom feed

From: Andrew Pinski <pinskia@gmail.com>
To: Alejandro Colomar <alx.manpages@gmail.com>
Cc: gcc@gcc.gnu.org, linux-man <linux-man@vger.kernel.org>,
	 GNU C Library <libc-alpha@sourceware.org>
Subject: Re: [-Wstringop-overflow=] strncat(3)
Date: Wed, 14 Dec 2022 14:57:48 -0800	[thread overview]
Message-ID: <CA+=Sn1nkz5FKFFx3e+A42nhpAF-TLW0Gmdgn4a5NL0KkCpuWNg@mail.gmail.com> (raw)
In-Reply-To: <30a77019-ded0-fe3b-d0db-6c77842674db@gmail.com>

On Wed, Dec 14, 2022 at 2:46 PM Alejandro Colomar via Libc-alpha
<libc-alpha@sourceware.org> wrote:
>
> Hi,
>
> I was rewriting the strncat(3) manual page, and when I tried to compile the
> example program, I got a surprise from the compiler.
>
> Here goes the page:
>
>
>    strncat(3)               Library Functions Manual              strncat(3)
>
>    NAME
>           strncat  -  concatenate  a  null‐padded  character sequence into a
>           string
>
>    LIBRARY
>           Standard C library (libc, -lc)
>
>    SYNOPSIS
>           #include <string.h>
>
>           char *strncat(char *restrict dst, const char src[restrict .sz],
>                          size_t sz);
>
>    DESCRIPTION
>           This function catenates the input character sequence contained  in
>           a  null‐padded  fixed‐width  buffer,  into  a string at the buffer
>           pointed to by dst.  The programmer is responsible for allocating a
>           buffer large enough, that is, strlen(dst) + strnlen(src, sz) + 1.
>
>           An implementation of this function might be:
>
>               char *
>               strncat(char *restrict dst, const char *restrict src, size_t sz)
>               {
>                   int   len;
>                   char  *end;
>
>                   len = strnlen(src, sz);
>                   end = dst + strlen(dst);
>                   end = mempcpy(end, src, len);
>                   *end = '\0';
>
>                   return dst;
>               }
>
>    RETURN VALUE
>           strncat() returns dest.
>
>    ATTRIBUTES
>           [...]
>
>    STANDARDS
>           POSIX.1‐2001, POSIX.1‐2008, C89, C99, SVr4, 4.3BSD.
>
>    CAVEATS
>           The  name of this function is confusing.  This function has no re‐
>           lation with strncpy(3).
>
>           If the destination buffer is not large enough, the behavior is un‐
>           defined.  See _FORTIFY_SOURCE in feature_test_macros(7).
>
>    BUGS
>           This function  can  be  very  inefficient.   Read  about  Shlemiel
>           the       painter      ⟨https://www.joelonsoftware.com/2001/12/11/
>           back-to-basics/⟩.
>
>    EXAMPLES
>           #include <stdio.h>
>           #include <stdlib.h>
>           #include <string.h>
>
>           int
>           main(void)
>           {
>               char    buf[BUFSIZ];
>               size_t  len;
>
>               buf[0] = '\0';  // There’s no ’cpy’ function to this ’cat’.
>               strncat(buf, "Hello ", 6);
>               strncat(buf, "world", 42);  // Padding null bytes ignored.
>               strncat(buf, "!", 1);
>               len = strlen(buf);
>               printf("[len = %zu]: <%s>\n", len, buf);
>
>               exit(EXIT_SUCCESS);
>           }
>
>    SEE ALSO
>           string(3), string_copy(3)
>
>    Linux man‐pages (unreleased)      (date)                       strncat(3)
>
>
> And when you compile that, you get:
>
> $ cc -Wall -Wextra ./strncat.c
> ./strncat.c: In function ‘main’:
> ./strncat.c:12:12: warning: ‘strncat’ specified bound 6 equals source length
> [-Wstringop-overflow=]
>     12 |            strncat(buf, "Hello ", 6);
>        |            ^~~~~~~~~~~~~~~~~~~~~~~~~
> ./strncat.c:14:12: warning: ‘strncat’ specified bound 1 equals source length
> [-Wstringop-overflow=]
>     14 |            strncat(buf, "!", 1);
>        |            ^~~~~~~~~~~~~~~~~~~~
>
>
> So, what?  Where's the problem?  This function does exactly that: "take an
> unterminated character sequence and catenate it to an existing string".  Clang
> seems to be fine with the code.

See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83404 and the
background of why the warning was added here:

https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/strncpy-and-strncat.

Thanks,
Andrew Pinski

>
> Cheers,
>
> Alex
>
>
> --
> <http://www.alejandro-colomar.es/>

next prev parent reply	other threads:[~2022-12-14 22:58 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-14 22:45 Alejandro Colomar
2022-12-14 22:51 ` Alejandro Colomar
2022-12-14 22:51   ` Alejandro Colomar
2022-12-14 22:57 ` Andrew Pinski [this message]
2022-12-14 23:14   ` Alejandro Colomar
2022-12-15 20:50     ` Martin Sebor
2022-12-15 22:03       ` Alejandro Colomar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+=Sn1nkz5FKFFx3e+A42nhpAF-TLW0Gmdgn4a5NL0KkCpuWNg@mail.gmail.com' \
    --to=pinskia@gmail.com \
    --cc=alx.manpages@gmail.com \
    --cc=gcc@gcc.gnu.org \
    --cc=libc-alpha@sourceware.org \
    --cc=linux-man@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).