The example code currently passes `buflen - 1` to `strncpy`, however
the length parameter to `strncpy` is `size_t`, which is unsigned.
This means that when `buflen` is zero, the cast of `-1` to unsigned will
result in passing `UINT_MAX` as the length. Obviously, that would be
incorrect and could cause `strncpy` to write well beyond the buffer
passed.
The easy solution is to wrap the whole code in the `buflen > 0`
check, rather then just the part of the code that applies the null
terminator.
Signed-off-by: Matthew Kilgore <mattkilgore12@xxxxxxxxx>
---
man3/strcpy.3 | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/man3/strcpy.3 b/man3/strcpy.3
index 1596a95f59b9..02f7bfaa1416 100644
--- a/man3/strcpy.3
+++ b/man3/strcpy.3
@@ -166,9 +166,10 @@ you can force termination using something like the following:
.PP
.in +4n
.EX
-strncpy(buf, str, buflen \- 1);
-if (buflen > 0)
+if (buflen > 0) {
+ strncpy(buf, str, buflen \- 1);
buf[buflen \- 1]= \(aq\\0\(aq;
+}
.EE
.in
.PP
--
2.17.0
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
