https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83106
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> --- (In reply to Martin Sebor from comment #3) > The warning for strncat helps find similar bugs as for strncpy: defeating > the size constraint by specifying the length of the source rather than the > amount of space in the destination: > > strncat (d, s, strlen (s)); > > This is, of course, equivalent to strcat (d, s) and so an > unnecessary/unintended use of the function. Similar recommendation as for > strncpy also applies to strncat: > > strncat (d, s, sizeof d - strlen (d) - 1); > > See for example: > https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/strncpy-and- > strncat > > The GCC code happens to be safe but there's no good way to distinguish safe > but unintended uses from unsafe ones and so the warning errs on the side of > caution. Only if you misuse strncat for something it has not been designed for. If you already compute strlen (d), it makes no sense to use a function that needs to compute it again. See e.g. https://en.wikipedia.org/wiki/C_string_handling on what it says about these functions. target.c uses strncat properly, trying to use it for security purposes of not overflowing destination is typically just a bug.
