The Linux kernel uses the sir_name as a standard C string (in one instance copying it into a 60 char buffer using kstrncpy with a length limit of 60), we therefore need to ensure that it is 0 terminated.
Since the existing code didn't notify the caller if we were truncating the string at 25 characters, I didn't add such a warning/error for truncating at 24 characters.
I was not able to find documentation on how Windows uses irdaServiceName so I didn't change that code.
In both cases I replaced the hardcoded length of 25 with a sizeof() argument (but both Linux and Windows hard code that length in their headers, so it seems unlikely this would ever change).
Coverity CID 207790
Signed-off-by: Dirk Hohndel dirk@hohndel.org --- src/irda.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/irda.c b/src/irda.c index 149808aaa5c2..0ad227d70f40 100644 --- a/src/irda.c +++ b/src/irda.c @@ -222,17 +222,19 @@ dc_irda_connect_name (dc_iostream_t *abstract, unsigned int address, const char peer.irdaDeviceID[2] = (address >> 16) & 0xFF; peer.irdaDeviceID[3] = (address >> 24) & 0xFF; if (name) - strncpy (peer.irdaServiceName, name, 25); + strncpy (peer.irdaServiceName, name, sizeof(peer.irdaServiceName)); else - memset (peer.irdaServiceName, 0x00, 25); + memset (peer.irdaServiceName, 0x00, sizeof(peer.irdaServiceName)); #else struct sockaddr_irda peer; peer.sir_family = AF_IRDA; peer.sir_addr = address; - if (name) - strncpy (peer.sir_name, name, 25); - else - memset (peer.sir_name, 0x00, 25); + if (name) { + strncpy (peer.sir_name, name, sizeof(peer.sir_name) - 1); + peer.sir_name[sizeof(peer.sir_name) - 1] = '\0'; + } else { + memset (peer.sir_name, 0x00, sizeof(peer.sir_name)); + } #endif
return dc_socket_connect (&device->base, (struct sockaddr *) &peer, sizeof (peer));