|
| From: | Paul Eggert |
| Subject: | Re: cpio - covscan issues |
| Date: | Thu, 8 Apr 2021 12:02:57 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 |
On 4/8/21 12:47 AM, Ondrej Dubaj wrote:
diff --git a/src/tar.c b/src/tar.c
index 99ef8a2..a5873e7 100644
--- a/src/tar.c
+++ b/src/tar.c
@@ -146,6 +146,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr,
int out_des)
name_len = strlen (file_hdr->c_name);
if (name_len <= TARNAMESIZE)
{
+ memset(tar_hdr->name, '\0', name_len+1);
strncpy (tar_hdr->name, file_hdr->c_name, name_len);
}
else
This fix isn't right incorrect. The 'name' array is not necessarily null terminated; see <https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_18_03>. This unusual data structure is exactly what strncpy is designed for.
Coverity has a horror of strncpy, understandably so since strncpy is so often misused. But it's being used correctly here, and in the other places that your email proposed patches for.
Coverity's utimenes warning is reasonable even though the code was technically correct. As discussed in my previous email that should be fixed in Gnulib now. The other cpio warnings all appear to be false alarms.
| [Prev in Thread] | Current Thread | [Next in Thread] |