[LTP] [PATCH v2 1/2] inotify: replace strcpy() with snprintf()

Jinseok Kim always.starving0@gmail.com
Fri Mar 13 17:05:15 CET 2026 

Use snprintf() instead of strcpy() to avoid potential buffer
overflows when constructing file names.

Signed-off-by: Jinseok Kim <always.starving0@gmail.com>
---
 testcases/kernel/syscalls/inotify/inotify02.c | 24 +++++++++----------
 testcases/kernel/syscalls/inotify/inotify04.c | 10 ++++----
 testcases/kernel/syscalls/inotify/inotify07.c |  8 +++----
 testcases/kernel/syscalls/inotify/inotify10.c | 10 ++++----
 4 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/testcases/kernel/syscalls/inotify/inotify02.c b/testcases/kernel/syscalls/inotify/inotify02.c
index 314c1bd49..423676bf9 100644
--- a/testcases/kernel/syscalls/inotify/inotify02.c
+++ b/testcases/kernel/syscalls/inotify/inotify02.c
@@ -35,7 +35,7 @@
 #define EVENT_BUF_LEN        (EVENT_MAX * (EVENT_SIZE + 16))

 #define BUF_SIZE 256
-static char fname1[BUF_SIZE], fname2[BUF_SIZE], fname3[BUF_SIZE];
+static char fname1[BUF_SIZE], fname2[BUF_SIZE+32], fname3[BUF_SIZE+32];
 static int fd, fd_notify, reap_wd;
 static int wd;

@@ -61,40 +61,40 @@ void verify_inotify(void)
 	 */
 	SAFE_CHMOD(".", 0755);
 	event_set[test_cnt].mask = IN_ISDIR | IN_ATTRIB;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	fd = SAFE_CREAT(FILE_NAME1, 0755);
 	event_set[test_cnt].mask = IN_CREATE;
-	strcpy(event_set[test_cnt].name, FILE_NAME1);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME1);
 	test_cnt++;
 	event_set[test_cnt].mask = IN_OPEN;
-	strcpy(event_set[test_cnt].name, FILE_NAME1);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME1);
 	test_cnt++;

 	SAFE_CLOSE(fd);
 	event_set[test_cnt].mask = IN_CLOSE_WRITE;
-	strcpy(event_set[test_cnt].name, FILE_NAME1);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME1);
 	test_cnt++;

 	SAFE_RENAME(FILE_NAME1, FILE_NAME2);
 	event_set[test_cnt].mask = IN_MOVED_FROM;
-	strcpy(event_set[test_cnt].name, FILE_NAME1);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME1);
 	test_cnt++;
 	event_set[test_cnt].mask = IN_MOVED_TO;
-	strcpy(event_set[test_cnt].name, FILE_NAME2);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME2);
 	test_cnt++;

 	SAFE_GETCWD(fname1, BUF_SIZE);
-	snprintf(fname2, BUF_SIZE, "%s.rename1", fname1);
+	snprintf(fname2, sizeof(fname2), "%s.rename1", fname1);
 	SAFE_RENAME(fname1, fname2);
 	event_set[test_cnt].mask = IN_MOVE_SELF;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	SAFE_UNLINK(FILE_NAME2);
 	event_set[test_cnt].mask = IN_DELETE;
-	strcpy(event_set[test_cnt].name, FILE_NAME2);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME2);
 	test_cnt++;

 	/*
@@ -103,12 +103,12 @@ void verify_inotify(void)
 	 * we can correct determine kernel bug which exist before
 	 * 2.6.25. See comment below.
 	 */
-	snprintf(fname3, BUF_SIZE, "%s.rename2", fname1);
+	snprintf(fname3, sizeof(fname3), "%s.rename2", fname1);
 	SAFE_RENAME(fname2, fname3);

 	SAFE_RENAME(fname3, fname1);
 	event_set[test_cnt].mask = IN_MOVE_SELF;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	int len, i = 0, test_num = 0;
diff --git a/testcases/kernel/syscalls/inotify/inotify04.c b/testcases/kernel/syscalls/inotify/inotify04.c
index 947623952..2d7f34bae 100644
--- a/testcases/kernel/syscalls/inotify/inotify04.c
+++ b/testcases/kernel/syscalls/inotify/inotify04.c
@@ -91,10 +91,10 @@ void verify_inotify(void)
 	reap_wd_dir = 0;

 	event_set[test_cnt].mask = IN_DELETE_SELF;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;
 	event_set[test_cnt].mask = IN_IGNORED;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	SAFE_UNLINK(TEST_FILE);
@@ -108,14 +108,14 @@ void verify_inotify(void)
 	 * understand how Unix works.
 	 */
 	event_set[test_cnt].mask = IN_ATTRIB;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	event_set[test_cnt].mask = IN_DELETE_SELF;
-	strcpy(event_set[test_cnt].name, TEST_FILE);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", TEST_FILE);
 	test_cnt++;
 	event_set[test_cnt].mask = IN_IGNORED;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	len = SAFE_READ(0, fd_notify, event_buf, EVENT_BUF_LEN);
diff --git a/testcases/kernel/syscalls/inotify/inotify07.c b/testcases/kernel/syscalls/inotify/inotify07.c
index b4000f353..f0acd9e91 100644
--- a/testcases/kernel/syscalls/inotify/inotify07.c
+++ b/testcases/kernel/syscalls/inotify/inotify07.c
@@ -74,18 +74,18 @@ void verify_inotify(void)
 	 */
 	SAFE_CHMOD(DIR_PATH, 0755);
 	event_set[test_cnt].mask = IN_ISDIR | IN_ATTRIB;
-	strcpy(event_set[test_cnt].name, "");
+	event_set[test_cnt].name[0] = '\0';
 	test_cnt++;

 	SAFE_TOUCH(FILE_PATH, 0644, NULL);
 	event_set[test_cnt].mask = IN_OPEN;
-	strcpy(event_set[test_cnt].name, FILE_NAME);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME);
 	test_cnt++;
 	event_set[test_cnt].mask = IN_CLOSE_WRITE;
-	strcpy(event_set[test_cnt].name, FILE_NAME);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME);
 	test_cnt++;
 	event_set[test_cnt].mask = IN_ATTRIB;
-	strcpy(event_set[test_cnt].name, FILE_NAME);
+	snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name), "%s", FILE_NAME);
 	test_cnt++;

 	int len = SAFE_READ(0, fd_notify, event_buf, EVENT_BUF_LEN);
diff --git a/testcases/kernel/syscalls/inotify/inotify10.c b/testcases/kernel/syscalls/inotify/inotify10.c
index 4c3a1d116..0a94ead15 100644
--- a/testcases/kernel/syscalls/inotify/inotify10.c
+++ b/testcases/kernel/syscalls/inotify/inotify10.c
@@ -121,25 +121,27 @@ static void verify_inotify(unsigned int n)
 	if (wd_parent && (tc->parent_mask & IN_ATTRIB)) {
 		event_set[test_cnt].wd = wd_parent;
 		event_set[test_cnt].mask = tc->parent_mask | IN_ISDIR;
-		strcpy(event_set[test_cnt].name, TEST_DIR);
+		snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name),
+			 "%s", TEST_DIR);
 		test_cnt++;
 	}
 	if (wd_subdir && (tc->subdir_mask & IN_ATTRIB)) {
 		event_set[test_cnt].wd = wd_subdir;
 		event_set[test_cnt].mask = tc->subdir_mask | IN_ISDIR;
-		strcpy(event_set[test_cnt].name, "");
+		event_set[test_cnt].name[0] = '\0';
 		test_cnt++;
 	}
 	if (wd_parent && (tc->parent_mask & IN_ATTRIB)) {
 		event_set[test_cnt].wd = wd_parent;
 		event_set[test_cnt].mask = tc->parent_mask;
-		strcpy(event_set[test_cnt].name, TEST_FILE);
+		snprintf(event_set[test_cnt].name, sizeof(event_set[test_cnt].name),
+			 "%s", TEST_FILE);
 		test_cnt++;
 	}
 	if (wd_child && (tc->child_mask & IN_ATTRIB)) {
 		event_set[test_cnt].wd = wd_child;
 		event_set[test_cnt].mask = tc->child_mask;
-		strcpy(event_set[test_cnt].name, "");
+		event_set[test_cnt].name[0] = '\0';
 		test_cnt++;
 	}

--
2.43.0

More information about the ltp mailing list