The Linux kernel uses the sir_name as a standard C string (in one instance copying it into a 60 char buffer using kstrncpy with a length limit of 60), we therefore need to ensure that it is 0 terminated.
Since the existing code didn't notify the caller if we were truncating the string at 25 characters, I didn't add such a warning/error for truncating at 24 characters.
I was not able to find documentation on how Windows uses irdaServiceName but since this is implementing the same standard, the same change was made to the Windows code.
In both cases I replaced the hardcoded length of 25 with a sizeof() argument (but both Linux and Windows hard code that length in their headers, so it seems unlikely this would ever change).
Coverity CID 207790
Signed-off-by: Dirk Hohndel dirk@hohndel.org --- src/irda.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/irda.c b/src/irda.c index 149808aaa5c2..972c1255bc45 100644 --- a/src/irda.c +++ b/src/irda.c @@ -221,18 +221,22 @@ dc_irda_connect_name (dc_iostream_t *abstract, unsigned int address, const char peer.irdaDeviceID[1] = (address >> 8) & 0xFF; peer.irdaDeviceID[2] = (address >> 16) & 0xFF; peer.irdaDeviceID[3] = (address >> 24) & 0xFF; - if (name) - strncpy (peer.irdaServiceName, name, 25); - else - memset (peer.irdaServiceName, 0x00, 25); + if (name) { + strncpy (peer.irdaServiceName, name, sizeof(peer.irdaServiceName) - 1); + peer.irdaServiceName[sizeof(peer.irdaServiceName) - 1] = '\0'; + } else { + memset (peer.irdaServiceName, 0x00, sizeof(peer.irdaServiceName)); + } #else struct sockaddr_irda peer; peer.sir_family = AF_IRDA; peer.sir_addr = address; - if (name) - strncpy (peer.sir_name, name, 25); - else - memset (peer.sir_name, 0x00, 25); + if (name) { + strncpy (peer.sir_name, name, sizeof(peer.sir_name) - 1); + peer.sir_name[sizeof(peer.sir_name) - 1] = '\0'; + } else { + memset (peer.sir_name, 0x00, sizeof(peer.sir_name)); + } #endif
return dc_socket_connect (&device->base, (struct sockaddr *) &peer, sizeof (peer));