RFR(S): 8252407: Build failure with gcc-8+ and asan
Florian Weimer
fweimer at redhat.com
Wed Sep 2 07:19:52 UTC 2020
* Magnus Ihse Bursie:
> Maybe we should have a common library for all native code where we
> supply our own string operation functions? It will then be much easier
> to make sure the implementation passes different compiler versions,
> and that we provide sane semantics (which isn't really the case with
> the original C library functions; hence all this warning churning).
When I looked at this (sorry that I never sent a patch), pretty much all
uses of strncpy were actually bugs: The code should check the actual
string length using strlen, report an error if it would be truncated,
and then use memcpy with the length already computed, plus one.
In other words, the strncpy warnings are correct, and there is only
churn in the sense that GCC gets smarter at discovering bugs.
At least one of the bugs was in theory user-visible: the network
interface code would return data for an interface that does not actually
exist on the system.
Thanks,
Florian
More information about the core-libs-dev
mailing list