Amber Jain's weblog (OLD)

Visit my new weblog at http://amber-jain.blogspot.in/

g++ warnings on OpenBSD: “strcpy() is almost always misused, please use strlcpy()” and “strcat() is almost always misused, please use strlcat()”

with 4 comments

strcpy() and strcat() related warnings on OpenBSD with gcc/g++

I have a box with OpenBSD 4.5 installed. When compiling c++ programs using g++, I get following warnings:

/usr/lib/libstdc++.so.47.0: warning: strcpy() is almost always misused, please use strlcpy()
/usr/lib/libstdc++.so.47.0: warning: strcat() is almost always misused, please use strlcat()
Well, “Unix Programming Tools” from Stanford’s website says:
“Getting used to compiles that produce “a few warnings” is a very bad habit”.

I asked the reason for these warnings on ##c++-basic on irc.freenode.net. The guys there suggested me some options (e.g. -Wno-deprecated, -Wno-deprecated-declarations)

Then somehow this thought strike my mind. What if this has something to do with ‘propolice’? OR What if this is OpenBSD related issue (?) OpenBSD strives hard to be secure. Although, not all OpenBSD packages go through rigorous security audit, but then gcc is something that is likely to be ‘modified’ to fit OpenBSD’s goals. So, I asked this on #openbsd (at freenode). Here’s the IRC log:

AmberJ> Why does gcc/g++ outputs 2 warnings: “strcpy() is almost always misused, please use strlcpy() [and the same with strcat]”….Is it because openbsd has propolice enabled?
….because I don’t seem to encounter those warnings on other OSes with propolice disabled
AmberJ: it’s a linking warning, you’ll only see it when you link something that uses strcpy() etc
oenone, But why those warnings pop up only on OpenBSD ?
AmberJ: because other OSes don’t have the warnings in their version of libc

I updated this info to ##c++-basic. IRC-log:

AmberJ> That’s it! I hope that is the answer to my original question
jps_77, SukhE metabol Leoneof` thanks all πŸ™‚
AmberJ: that was a retarded reply that you got in #openbsd
try in #gcc

I then tried at #gcc as suggested(at freenode). IRC log:

AmberJ> Why does gcc/g++ outputs 2 warnings: “strcpy() is almost always misused, please use strlcpy() [and the same with strcat]”….Is it because openbsd has propolice enabled?
I’m using gcc 3.3.5 (propolice)
Ofcourse, I’m using OpenBSD 4.5
AmberJ: that sounds a lot like OpenBSD broke it. (they invented those l forms)
noshadow, Someone at #openbsd mentioned: “Other OSes don’t hae similar warnings because other OSes don’t have the warnings in their version of libc”
AmberJ: yes, that’s a possible place where they could have put those uncessary warnings.
noshadow, ok ty πŸ™‚
though the warning is really the wrong way round. why strcpy is usefull often, strlcpy is always always misused…
ok

Ofcourse, you can feel the ‘anti-openbsd’ feeling in the air πŸ˜‰

In the end, the folks at ##c++-basic suggested me that I try to install a newer version of gcc i.e. 4.x (mind you, gcc/g++ 3.3.5-propolice is the version that is shipped with OpenBSD 4.5) and if this problem persists (Is this really a problem? Read this. I suppose the warning is apt.), they suggested that I try to compile gcc from source.

More soon.

πŸ™‚

Advertisements

Written by Amber Jain

January 9, 2010 at 1:24 PM

4 Responses

Subscribe to comments with RSS.

  1. the reason these warnings come up is the strcpy without a buffer of fixed length, i.e. strlcpy, is a classic soft spot that you can attempt to use as a buffer overflow. by fixing the buffer length when copying you ensure that someone cannot shoehorn some really long string in and e.g. overflow machine code into memory where it gets executed.

    jake

    May 22, 2010 at 8:07 PM

  2. jake

    May 22, 2010 at 8:11 PM

  3. I agree with most of what is said here.

    JeffE44

    June 2, 2010 at 12:44 AM

  4. I added your blog to bookmarks. And i’ll read your articles more often!

    EnsuntyWest

    June 8, 2010 at 7:13 AM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: