On 18/08/2018 04:56, Philippe Mathieu-Daudé wrote: > Fedora 29 comes with GCC 8.1 which added the 'stringop-truncation' checks. > > Replace the strncpy() calls by g_strlcpy() to avoid the following warning: > > block/sheepdog.c: In function 'find_vdi_name': > block/sheepdog.c:1239:5: error: 'strncpy' specified bound 256 equals > destination size [-Werror=stringop-truncation] > strncpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN); > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Reported-by: Howard Spoelstra <[email protected]> > Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > --- > See http://lists.nongnu.org/archive/html/qemu-devel/2018-07/msg03723.html > > block/sheepdog.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/block/sheepdog.c b/block/sheepdog.c > index b229a664d9..5dc3d0c39e 100644 > --- a/block/sheepdog.c > +++ b/block/sheepdog.c > @@ -1224,19 +1224,19 @@ static int find_vdi_name(BDRVSheepdogState *s, const > char *filename, > SheepdogVdiReq hdr; > SheepdogVdiRsp *rsp = (SheepdogVdiRsp *)&hdr; > unsigned int wlen, rlen = 0; > - char buf[SD_MAX_VDI_LEN + SD_MAX_VDI_TAG_LEN]; > + /* Ensures that the buffer is zero-filled, > + * which is desirable since we'll soon be sending those bytes, and > + * don't want the send_req to read uninitialized data. > + */ > + char buf[SD_MAX_VDI_LEN + SD_MAX_VDI_TAG_LEN] = { }; > > fd = connect_to_sdog(s, errp); > if (fd < 0) { > return fd; > } > > - /* This pair of strncpy calls ensures that the buffer is zero-filled, > - * which is desirable since we'll soon be sending those bytes, and > - * don't want the send_req to read uninitialized data. > - */ > - strncpy(buf, filename, SD_MAX_VDI_LEN); > - strncpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN); > + g_strlcpy(buf, filename, SD_MAX_VDI_LEN); > + g_strlcpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN); > > memset(&hdr, 0, sizeof(hdr)); > if (lock) { >
The protocol doesn't require (as far as I can see) the strings to be NULL-terminated, therefore strncpy is the right function to use here. However, we should have a check on the length of filename and tag, so that no truncation is done. This applies to both strncpy and g_strlcpy. Indeed I find g_strlcpy to be harmful because it encourages a style where truncations happen silently. There are very few cases where silent truncation is the right thing to do, and in several cases where you _have to have_ fixed-size buffers, those buffers are sent on the wire---and then g_strlcpy is wrong, while strncpy is just as good as memset+strlen+memcpy (and shorter). Paolo
