Index: channels/chan_misdn.c =================================================================== --- channels/chan_misdn.c (revision 103196) +++ channels/chan_misdn.c (working copy) @@ -2246,8 +2246,7 @@ buf[1]=0; l = sizeof(bc->infos_pending); - strncat(bc->infos_pending,buf,l); - bc->infos_pending[l-1] = 0; + strncat(bc->infos_pending, buf, l - strlen(bc->infos_pending) - 1); } break; case MISDN_CALLING_ACKNOWLEDGE: @@ -2257,8 +2256,7 @@ { int l = sizeof(bc->dad); - strncat(bc->dad,bc->info_dad, l - strlen(bc->dad)); - bc->dad[l-1] = 0; + strncat(bc->dad, bc->info_dad, l - strlen(bc->dad) - 1); } { int l = sizeof(p->ast->exten); @@ -4054,8 +4052,7 @@ } l = sizeof(bc->dad); - strncat(bc->dad,bc->info_dad, l); - bc->dad[l-1] = 0; + strncat(bc->dad,bc->info_dad, l - strlen(bc->dad) - 1); l = sizeof(ch->ast->exten); strncpy(ch->ast->exten, bc->dad, l); @@ -4133,8 +4130,7 @@ if (ch->state != MISDN_CONNECTED ) { if (digits) { int l = sizeof(bc->dad); - strncat(bc->dad,bc->info_dad, l); - bc->dad[l-1] = 0; + strncat(bc->dad, bc->info_dad, l - strlen(bc->dad) - 1); l = sizeof(ch->ast->exten); strncpy(ch->ast->exten, bc->dad, l); ch->ast->exten[l-1] = 0; @@ -4436,8 +4432,7 @@ { int l = sizeof(bc->dad); - strncat(bc->dad,bc->infos_pending, l - strlen(bc->dad)); - bc->dad[l-1] = 0; + strncat(bc->dad, bc->infos_pending, l - strlen(bc->dad) - 1); } if (!ch->ast) break; Index: apps/app_voicemail.c =================================================================== --- apps/app_voicemail.c (revision 103197) +++ apps/app_voicemail.c (working copy) @@ -3831,8 +3831,8 @@ make_file(msgfile, sizeof(msgfile), curdir, curmsg); strcpy(textfile, msgfile); strcpy(backup, msgfile); - strncat(textfile, ".txt", sizeof(textfile) - 1); - strncat(backup, "-bak", sizeof(backup) - 1); + strncat(textfile, ".txt", sizeof(textfile) - strlen(textfile) - 1); + strncat(backup, "-bak", sizeof(backup) - strlen(backup) - 1); msg_cfg = ast_config_load(textfile); Index: apps/app_speech_utils.c =================================================================== --- apps/app_speech_utils.c (revision 103196) +++ apps/app_speech_utils.c (working copy) @@ -735,7 +735,7 @@ } time(&start); snprintf(tmp, sizeof(tmp), "%c", f->subclass); - strncat(dtmf, tmp, sizeof(dtmf)); + strncat(dtmf, tmp, sizeof(dtmf) - strlen(dtmf) - 1); /* If the maximum length of the DTMF has been reached, stop now */ if (max_dtmf_len && strlen(dtmf) == max_dtmf_len) done = 1; Index: funcs/func_enum.c =================================================================== --- funcs/func_enum.c (revision 103196) +++ funcs/func_enum.c (working copy) @@ -98,7 +98,7 @@ for (s = p = args.number; *s; s++) { if (*s != '-') { snprintf(tmp, sizeof(tmp), "%c", *s); - strncat(num, tmp, sizeof(num)); + strncat(num, tmp, sizeof(num) - strlen(num) - 1); } } Index: main/channel.c =================================================================== --- main/channel.c (revision 103196) +++ main/channel.c (working copy) @@ -4353,12 +4353,12 @@ for (i = 0; i <= 63; i++) { /* Max group is 63 */ if (group & ((ast_group_t) 1 << i)) { if (!first) { - strncat(buf, ", ", buflen); + strncat(buf, ", ", buflen - strlen(buf) - 1); } else { first=0; } snprintf(num, sizeof(num), "%u", i); - strncat(buf, num, buflen); + strncat(buf, num, buflen - strlen(buf) - 1); } } return buf; Index: main/manager.c =================================================================== --- main/manager.c (revision 103196) +++ main/manager.c (working copy) @@ -206,10 +206,10 @@ for (i = 0; i < (sizeof(perms) / sizeof(perms[0])) - 1; i++) { if (authority & perms[i].num) { if (*res) { - strncat(res, ",", (reslen > running_total) ? reslen - running_total : 0); + strncat(res, ",", (reslen > running_total) ? reslen - running_total - 1 : 0); running_total++; } - strncat(res, perms[i].label, (reslen > running_total) ? reslen - running_total : 0); + strncat(res, perms[i].label, (reslen > running_total) ? reslen - running_total - 1 : 0); running_total += strlen(perms[i].label); } } Index: main/asterisk.c =================================================================== --- main/asterisk.c (revision 103196) +++ main/asterisk.c (working copy) @@ -1931,9 +1931,10 @@ if (color_used) { /* Force colors back to normal at end */ term_color_code(term_code, COLOR_WHITE, COLOR_BLACK, sizeof(term_code)); - if (strlen(term_code) > sizeof(prompt) - strlen(prompt)) { - strncat(prompt + sizeof(prompt) - strlen(term_code) - 1, term_code, strlen(term_code)); + if (strlen(term_code) > sizeof(prompt) - strlen(prompt) - 1) { + ast_copy_string(prompt + sizeof(prompt) - strlen(term_code) - 1, term_code, strlen(term_code) + 1); } else { + /* This looks wrong, but we've already checked the length of term_code to ensure it's safe */ strncat(p, term_code, sizeof(term_code)); } } Index: main/frame.c =================================================================== --- main/frame.c (revision 103196) +++ main/frame.c (working copy) @@ -1091,16 +1091,16 @@ slen = strlen(formatname); if(slen > total_len) break; - strncat(buf,formatname,total_len); + strncat(buf, formatname, total_len - 1); total_len -= slen; } if(total_len && x < 31 && ast_codec_pref_index(pref , x + 1)) { - strncat(buf,"|",total_len); + strncat(buf, "|", total_len - 1); total_len--; } } if(total_len) { - strncat(buf,")",total_len); + strncat(buf, ")", total_len - 1); total_len--; }