@@ -154,6 +154,7 @@ char *debugfs_mount(const char *mountpoint)
/* save the mountpoint */
strncpy(debugfs_mountpoint, mountpoint, sizeof(debugfs_mountpoint));
+ debugfs_mountpoint[sizeof(debugfs_mountpoint) - 1] = '\0';
debugfs_found = 1;
return debugfs_mountpoint;
@@ -59,6 +59,7 @@ int netsock_open(struct globals *globals)
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, globals->interface, IFNAMSIZ);
+ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) {
fprintf(stderr, "can't get interface: %s\n", strerror(errno));
goto err;
@@ -242,6 +242,7 @@ static void check_if_socket(struct globals *globals)
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, globals->interface, IFNAMSIZ);
+ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) {
fprintf(stderr, "can't get interface: %s, closing netsock\n",
strerror(errno));
@@ -102,6 +102,7 @@ static int get_if_mac(char *ifname, uint8_t *mac)
int sock, ret;
strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ ifr.ifr_name[IFNAMSIZ - 1] = '\0';
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "can't get interface: %s\n", strerror(errno));
strncpy doesn't terminate the string with a '\0' character when the length of the destination memory location was shorter than the source string. Accessing it again with string related functions isn't safe after such a semi-failed copy and the caller has to handle it. The easiest way is to always set the last character in the destination buffer to '\0' after the strncpy was called. Signed-off-by: Sven Eckelmann <sven@narfation.org> --- debugfs.c | 1 + netsock.c | 1 + server.c | 1 + vis/vis.c | 1 + 4 files changed, 4 insertions(+)