From: Willy Tarreau <w@1wt.eu>
Date: Fri, 7 Apr 2023 13:27:55 +0000 (+0200)
Subject: BUG/MINOR: lua: remove incorrect usage of strncat()
X-Git-Tag: v2.8-dev7~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=22450af22aa112a4bcba1014db8d654208e72121;p=thirdparty%2Fhaproxy.git

BUG/MINOR: lua: remove incorrect usage of strncat()

As every time strncat() is used, it's wrong, and this one is no exception.
Users often think that the length applies to the destination except it
applies to the source and makes it hard to use correctly. The bug did not
have an impact because the length was preallocated from the sum of all
the individual lengths as measured by strlen() so there was no chance one
of them would change in between. But it could change in the future. Let's
fix it to use memcpy() instead for strings, or byte copies for delimiters.

No backport is needed, though it can be done if it helps to apply other
fixes.
---

diff --git a/src/hlua.c b/src/hlua.c
index 561b5d1cd9..84b606e8be 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -10954,6 +10954,7 @@ __LJMP static int hlua_register_cli(lua_State *L)
 	const char *kw[5];
 	struct cli_kw *cli_kw;
 	const char *errmsg;
+	char *end;
 
 	MAY_LJMP(check_args(L, 3, "register_cli"));
 
@@ -11055,12 +11056,21 @@ __LJMP static int hlua_register_cli(lua_State *L)
 		errmsg = "Lua out of memory error.";
 		goto error;
 	}
-	strncat((char *)fcn->name, "<lua.cli", len);
+
+	end = fcn->name;
+	len = 8;
+	memcpy(end, "<lua.cli", len);
+	end += len;
+
 	for (i = 0; i < index; i++) {
-		strncat((char *)fcn->name, ".", len);
-		strncat((char *)fcn->name, cli_kws->kw[0].str_kw[i], len);
+		*(end++) = '.';
+		len = strlen(cli_kws->kw[0].str_kw[i]);
+		memcpy(end, cli_kws->kw[0].str_kw[i], len);
+		end += len;
 	}
-	strncat((char *)fcn->name, ">", len);
+	*(end++) = '>';
+	*(end++) = 0;
+
 	fcn->function_ref[hlua_state_id] = ref_io;
 
 	/* Fill last entries. */