1 files changed, 63 insertions, 0 deletions

diff --git a/lib/libc/string/strcat.3 b/lib/libc/string/strcat.3
index a24a60c..3f24565 100644
--- a/lib/libc/string/strcat.3
+++ b/lib/libc/string/strcat.3
@@ -83,6 +83,65 @@ and
 functions
 return the pointer
 .Fa s .
+.Sh SECURITY CONSIDERATIONS
+The
+.Fn strcat
+function is easily misused in a manner
+which enables malicious users to arbitrarily change
+a running program's functionality through a buffer overflow attack.
+(See
+the FSA.)
+.Pp
+Avoid using
+.Fn strcat .
+Instead, use
+.Fn strncat
+or
+.Fn strlcat
+and ensure that no more characters are copied to the destination buffer
+than it can hold.
+.Pp
+Note that
+.Fn strncat
+can also be problematic.
+It may be a security concern for a string to be truncated at all.
+Since the truncated string will not be as long as the original,
+it may refer to a completely different resource
+and usage of the truncated resource
+could result in very incorrect behavior.
+Example:
+.Bd -literal
+void
+foo(const char *arbitrary_string)
+{
+	char onstack[8];
+
+#if defined(BAD)
+	/*
+	 * This first strcat is bad behavior.  Do not use strcat!
+	 */
+	(void)strcat(onstack, arbitrary_string);	/* BAD! */
+#elif defined(BETTER)
+	/*
+	 * The following two lines demonstrate better use of
+	 * strncat().
+	 */
+	(void)strncat(onstack, arbitrary_string,
+	    sizeof(onstack) - strlen(onstack) - 1);
+#elif defined(BEST)
+	/*
+	 * These lines are even more robust due to testing for
+	 * truncation.
+	 */
+	if (strlen(arbitrary_string) + 1 >
+	    sizeof(onstack) - strlen(onstack))
+		err(1, "onstack would be truncated");
+	(void)strncat(onstack, arbitrary_string,
+	    sizeof(onstack) - strlen(onstack) - 1);
+#endif
+}
+
+.Ed
 .Sh SEE ALSO
 .Xr bcopy 3 ,
 .Xr memccpy 3 ,
@@ -91,6 +150,10 @@ return the pointer
 .Xr strcpy 3 ,
 .Xr strlcat 3 ,
 .Xr strlcpy 3
+.Rs
+.%T "The FreeBSD Security Architecture"
+.%J "/usr/share/doc/{to be decided}"
+.Re
 .Sh STANDARDS
 The
 .Fn strcat