# Extended 5.16 — SocketPlugin findOption: strncpy non-NUL-term footgun

Bug ref      : pharo.md §5.16
Severity     : MEDIUM (downstream strlen of non-terminated buffer)
File         : extracted/plugins/SocketPlugin/src/common/SocketPluginImpl.c
Lines (HEAD) : 1534-1547 (`findOption`)

## Problem

```c
strncpy(buf, source, n);
... downstream code does strlen(buf) ...
```

`strncpy` without NUL-terminating leaves `buf` un-terminated when
`source` is exactly `n` bytes. The downstream `strlen` walks past.

## Fix

Pattern matching extended 3.24:

```diff
diff --git a/plugins/SocketPlugin/src/common/SocketPluginImpl.c b/plugins/SocketPlugin/src/common/SocketPluginImpl.c
index b7b58ef5c..ba04749a4 100644
--- a/plugins/SocketPlugin/src/common/SocketPluginImpl.c
+++ b/plugins/SocketPlugin/src/common/SocketPluginImpl.c
@@ -1538,7 +1538,10 @@ static socketOption *findOption(char *name, size_t nameSize)
       socketOption *opt= 0;
       char buf[32];
       buf[nameSize]= '\0';
-      strncpy(buf, name, nameSize);
+      /* strncpy does not NUL-terminate when source fills the buffer.
+       * Clamp and explicitly terminate. */
+      strncpy(buf, name, nameSize < sizeof(buf) ? nameSize : sizeof(buf) - 1);
+      buf[sizeof(buf) - 1] = '\0';
       for (opt= socketOptions; opt->name != 0; ++opt)
 	if (!strcmp(buf, opt->name))
 	  return opt;

```

## Test plan

- Pass an option string of length exactly `n`. Before: unterminated
  buffer; downstream strlen reads OOB. After: truncated by one byte
  but terminated.

## Risk notes

- Same canonical strncpy-with-NUL pattern as 3.24.