Dear sir/madam, I've found a few issues in FreeBSD's sources related to incorrect usages of strncpy function. For example ./sbin/ifconfig/ifieee80211.c: 2414 static void 2415 list_capabilities(int s) 2416 { 2417 struct ieee80211req ireq; 2418 u_int32_t caps; 2419 2420 (void) memset(&ireq, 0, sizeof(ireq)); 2421 (void) strncpy(ireq.i_name, name, sizeof(ireq.i_name)); So, ireq.i_name can become non-zero-terminated. Correct line in this case is 2421 (void) strncpy(ireq.i_name, name, sizeof(ireq.i_name)-1); There are a lot of such problems in code, next example is the following ./contrib/wpa_supplicant/preauth_test.c 278 os_strncpy(wpa_s->ifname, ifname, sizeof(wpa_s->ifname)); 279 wpa_sm_set_ifname(wpa_s->wpa, wpa_s->ifname, NULL); 280 281 l2 = l2_packet_init(wpa_s->ifname, NULL, ETH_P_RSN_PREAUTH, NULL, Correct variant is 278 os_strncpy(wpa_s->ifname, ifname, sizeof(wpa_s->ifname) - 1); 279 wpa_s->ifname[sizeof(wpa_s->ifname) - 1] = '\0'; These issues were found in scope of my project for preventing issue in software written in C/C++ http://savesources.com Please contact me if you have any ideas/suggestions/questions. Best regards, Dmytro Gorbunov Leader of savesources.com Fix: it also mentioned in the description How-To-Repeat: Please look at the description
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
1) This code was rewritten since base r178354 (multi-bss support) 2) Probably, it was before base r189251 (now strlcpy() is used instead - since wpa_supplicant 0.6.3 release).