http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55982
Bug #: 55982
Summary: __strncat_chk is buggy
Classification: Unclassified
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
AssignedTo: unassig...@gcc.gnu.org
ReportedBy: ppluzhni...@google.com
Oh, the irony.
__strncat_chk is buggy, and has been apparently since initial commit:
r101531 | jakub | 2005-07-02 01:52:21 -0700 (Sat, 02 Jul 2005) | 36 lines
#include <string.h>
int main()
{
char buf[16];
buf[0] = '\0';
strncat(buf, "0123456789abcdefg", sizeof(buf) - 1);
return 0;
}
gcc -g -D_FORTIFY_SOURCE=2 strncat.c -O2 && ./a.out && echo ok
ok # using libc __strncat_chk
gcc -g -D_FORTIFY_SOURCE=2 strncat.c -O2 -lssp && ./a.out && echo ok
*** buffer overflow detected ***: a.out terminated
Illegal instruction (core dumped)
As far as I can tell, the loop on lines 64-96 is supposed to copy 4 bytes at a
time:
http://gcc.gnu.org/viewcvs/trunk/libssp/strncat-chk.c?annotate=184997
but actually copies 5.
Cut/paste error?
Google ref b/8003094
