From afec2e2addb177c7876fd3c6ac72cb53d8eacc26 Mon Sep 17 00:00:00 2001
From: redraincatching <99604494+redraincatching@users.noreply.github.com>
Date: Thu, 12 Jun 2025 10:15:46 +0100
Subject: [PATCH] guarantee no oob write in strncat (#1702)

based on [this codescanning
alert](https://github.com/redraincatching/coturn/security/code-scanning/166)

guarantees that the `turn_params.cipher_list` will be null-terminated,
and that the call to strncpy cannot attempt to access out-of-bounds
memory
---
 src/apps/relay/mainrelay.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
index ef59df0..e084c85 100644
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@@ -36,6 +36,7 @@
 #include "dbdrivers/dbdriver.h"
 
 #include "prom_server.h"
+#include <assert.h>
 
 #if defined(WINDOWS)
 #include <iphlpapi.h>
@@ -3568,9 +3569,10 @@ static void set_ctx(SSL_CTX **out, const char *protocol, const SSL_METHOD *metho
 
   if (!(turn_params.cipher_list[0])) {
     strncpy(turn_params.cipher_list, DEFAULT_CIPHER_LIST, TURN_LONG_STRING_SIZE);
+    assert(strlen(DEFAULT_CIPHER_LIST) < TURN_LONG_STRING_SIZE);
 #if defined(DEFAULT_CIPHERSUITES)
-    strncat(turn_params.cipher_list, ":", TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list));
-    strncat(turn_params.cipher_list, DEFAULT_CIPHERSUITES, TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list));
+    strncat(turn_params.cipher_list, ":", TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list) - 1);
+    strncat(turn_params.cipher_list, DEFAULT_CIPHERSUITES, TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list) - 1);
 #endif
   }