From 2aa62c1e01040d16383f2e18ca4b22f1c908dc6e Mon Sep 17 00:00:00 2001
From: Paolo Devoti <paolo.devoti@technowise.it>
Date: Thu, 9 Aug 2018 14:56:08 +0200
Subject: [PATCH] avoids risk of strncat buffer overflow

---
 src/iec61850/server/impl/ied_server.c | 2 +-
 src/iec61850/server/model/model.c     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/iec61850/server/impl/ied_server.c b/src/iec61850/server/impl/ied_server.c
index 8fa94f6e..99e10af9 100644
--- a/src/iec61850/server/impl/ied_server.c
+++ b/src/iec61850/server/impl/ied_server.c
@@ -1371,7 +1371,7 @@ IedServer_getFunctionalConstrainedData(IedServer self, DataObject* dataObject, F
     }
 
     strncpy(domainName, self->model->name, 64);
-    strncat(domainName, ld->name, 64);
+    strncat(domainName, ld->name, 64 - strlen(domainName));
 
     MmsDomain* domain = MmsDevice_getDomain(self->mmsDevice, domainName);
 
diff --git a/src/iec61850/server/model/model.c b/src/iec61850/server/model/model.c
index 0b5f84b7..7c5d1203 100644
--- a/src/iec61850/server/model/model.c
+++ b/src/iec61850/server/model/model.c
@@ -114,7 +114,7 @@ IedModel_lookupDataSet(IedModel* self, const char* dataSetReference  /* e.g. ied
 
 	    domainName[modelNameLen] = 0;
 
-	    strncat(domainName, dataSet->logicalDeviceName, 64);
+	    strncat(domainName, dataSet->logicalDeviceName, 64 - modelNameLen);
 
 		if (strncmp(domainName, dataSetReference, ldNameLen) == 0) {
 			if (strcmp(dataSet->name, separator + 1) == 0) {
@@ -138,7 +138,7 @@ IedModel_getDevice(IedModel* self, const char* deviceName)
         char domainName[65];
 
         strncpy(domainName, self->name, 64);
-        strncat(domainName, device->name, 64);
+        strncat(domainName, device->name, 64 - strlen(domainName));
 
         if (strcmp(domainName, deviceName) == 0)
             return device;