The Linux kernel uses the sir_name as a standard C string (in one instance copying it into a 60 char buffer using kstrncpy with a length limit of 60), we therefore need to ensure that it is 0 terminated. Since the existing code didn't notify the caller if we were truncating the string at 25 characters, I didn't add such a warning/error for truncating at 24 characters. I was not able to find documentation on how Windows uses irdaServiceName so I didn't change that code. In both cases I replaced the hardcoded length of 25 with a sizeof() argument (but both Linux and Windows hard code that length in their headers, so it seems unlikely this would ever change). Coverity CID 207790 Signed-off-by: Dirk Hohndel <dirk@hohndel.org> --- src/irda.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/irda.c b/src/irda.c index 149808aaa5c2..0ad227d70f40 100644 --- a/src/irda.c +++ b/src/irda.c @@ -222,17 +222,19 @@ dc_irda_connect_name (dc_iostream_t *abstract, unsigned int address, const char peer.irdaDeviceID[2] = (address >> 16) & 0xFF; peer.irdaDeviceID[3] = (address >> 24) & 0xFF; if (name) - strncpy (peer.irdaServiceName, name, 25); + strncpy (peer.irdaServiceName, name, sizeof(peer.irdaServiceName)); else - memset (peer.irdaServiceName, 0x00, 25); + memset (peer.irdaServiceName, 0x00, sizeof(peer.irdaServiceName)); #else struct sockaddr_irda peer; peer.sir_family = AF_IRDA; peer.sir_addr = address; - if (name) - strncpy (peer.sir_name, name, 25); - else - memset (peer.sir_name, 0x00, 25); + if (name) { + strncpy (peer.sir_name, name, sizeof(peer.sir_name) - 1); + peer.sir_name[sizeof(peer.sir_name) - 1] = '\0'; + } else { + memset (peer.sir_name, 0x00, sizeof(peer.sir_name)); + } #endif return dc_socket_connect (&device->base, (struct sockaddr *) &peer, sizeof (peer)); -- 2.15.1