search

pupnp / pupnp

libupnp: Build UPnP-compliant control points, devices, and bridges on several operating systems.
https://pupnp.github.io/pupnp
BSD 3-Clause "New" or "Revised" License
353 stars 117 forks source link

GCC 10 -Wstringop-overflow warning #300

Closed whyman closed 3 years ago

whyman commented 3 years ago 
[33/63] /usr/bin/x86_64-pc-linux-gnu-gcc -DNDEBUG -Dupnp_shared_EXPORTS -I/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/threadutil -I/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/inc -I/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/inc -I. -Iupnp/inc -I/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/ixml/inc -I/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/ixml/src/inc  -march=native -O2 -pipe -fPIC -fmacro-prefix-map=/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/= -pthread -MD -MT upnp/CMakeFiles/upnp_shared.dir/src/genlib/net/http/httpreadwrite.c.o -MF upnp/CMakeFiles/upnp_shared.dir/src/genlib/net/http/httpreadwrite.c.o.d -o upnp/CMakeFiles/upnp_shared.dir/src/genlib/net/http/httpreadwrite.c.o -c /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/genlib/net/http/httpreadwrite.c
In file included from /usr/include/string.h:519,
                 from /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/inc/UpnpLog.h:45,
                 from /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/inc/upnp.h:46,
                 from /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/inc/httpparser.h:42,
                 from /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/inc/httpreadwrite.h:39,
                 from /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/genlib/net/http/httpreadwrite.c:42:
In function ‘strncpy’,
    inlined from ‘get_hoststr’ at /var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/genlib/net/http/httpreadwrite.c:199:9:
/usr/include/bits/string_fortified.h:91:10: warning: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/genlib/net/http/httpreadwrite.c: In function ‘get_hoststr’:
/var/tmp/portage/net-libs/libupnp-9999/work/libupnp-9999/upnp/src/genlib/net/http/httpreadwrite.c:197:23: note: length computed here
  197 |         urlPathSize = strlen(url_str) + 1;
      |
mrjimenez commented 3 years ago

The real problem is not the strncpy(). The real problem is alloca(). As far as I can read, *hoststr becomes a pointer to invalid memory after the function returns and is used later. Totally bogus code.

I have committed a fix.

mrjimenez commented 3 years ago

Just found out that there are 2 more examples of this code in the same file, with an even worse bug.