CVS commit: src/lib/libc/string
Module Name:src Committed By: wiz Date: Mon Jul 15 19:25:30 UTC 2024 Modified Files: src/lib/libc/string: memccpy.3 Log Message: memccpy(3): add STANDARDS section With input from kre@ To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libc/string/memccpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/memccpy.3 diff -u src/lib/libc/string/memccpy.3:1.10 src/lib/libc/string/memccpy.3:1.11 --- src/lib/libc/string/memccpy.3:1.10 Mon Oct 16 08:48:45 2006 +++ src/lib/libc/string/memccpy.3 Mon Jul 15 19:25:30 2024 @@ -26,9 +26,9 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)memccpy.3 8.1 (Berkeley) 6/9/93 -.\" $NetBSD: memccpy.3,v 1.10 2006/10/16 08:48:45 wiz Exp $ +.\" $NetBSD: memccpy.3,v 1.11 2024/07/15 19:25:30 wiz Exp $ .\" -.Dd June 9, 1993 +.Dd July 15, 2024 .Dt MEMCCPY 3 .Os .Sh NAME @@ -65,8 +65,14 @@ bytes are copied, and a null pointer is .Xr memcpy 3 , .Xr memmove 3 , .Xr strcpy 3 +.Sh STANDARDS +.Nm +conforms to +.St -p1003.1 +and +.St -svid4 . .Sh HISTORY The .Fn memccpy function first appeared in -.Bx 4.4 . +.Bx 4.3 Tahoe .
CVS commit: src/lib/libc/string
Module Name:src Committed By: wiz Date: Mon Jul 15 19:25:30 UTC 2024 Modified Files: src/lib/libc/string: memccpy.3 Log Message: memccpy(3): add STANDARDS section With input from kre@ To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libc/string/memccpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Sun Aug 13 11:27:22 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): More on how strlcpy is not a safe strncpy replacement. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.15 src/lib/libc/string/strncpy.3:1.16 --- src/lib/libc/string/strncpy.3:1.15 Fri Aug 11 21:32:26 2023 +++ src/lib/libc/string/strncpy.3 Sun Aug 13 11:27:22 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.15 2023/08/11 21:32:26 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.16 2023/08/13 11:27:22 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -212,6 +212,10 @@ buf[sizeof(buf) - 1] = '\e0'; .Ed .Pp If +.Va input +is guaranteed to be +.Tn NUL Ns -terminated , +and if .Va buf need only be .Tn NUL Ns -terminated , @@ -225,6 +229,16 @@ as follows: strlcpy(buf, input, sizeof(buf)); .Ed .Pp +It is not enough for +.Va input +to have +.Li sizeof(buf) +bytes allocated; it MUST be +.Tn NUL Ns -terminated +for +.Xr strlcpy 3 +to be used. +.Pp Note that because .Xr strlcpy 3 is not defined in any standards, it should @@ -235,18 +249,26 @@ Because .Xr strlcpy 3 does not fully initialize .Fa dst , -it is +but does read all the way to a +.Tn NUL +terminator in +.Fa src +even past +.Fa len +bytes, +.Xr strlcpy 3 +is .Em not a safe .Tn NUL Ns -terminating replacement for -.Fn strncpy -if the buffer is not separately zero-initialized. +.Fn strncpy . Naively replacing .Fn strncpy by .Xr strlcpy 3 -can lead to disclosure of secrets from uninitialized memory. +can lead to crashes, undefined behaviour, and disclosure of secrets +from uninitialized memory. .Sh SEE ALSO .Xr bcopy 3 , .Xr memccpy 3 ,
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Sun Aug 13 11:27:22 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): More on how strlcpy is not a safe strncpy replacement. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: wiz Date: Sun Aug 13 04:20:08 UTC 2023 Modified Files: src/lib/libc/string: memcpy.3 Log Message: memcpy: consistency in prototype and fix sentence To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/memcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/memcpy.3 diff -u src/lib/libc/string/memcpy.3:1.14 src/lib/libc/string/memcpy.3:1.15 --- src/lib/libc/string/memcpy.3:1.14 Tue Aug 1 17:51:25 2023 +++ src/lib/libc/string/memcpy.3 Sun Aug 13 04:20:07 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)memcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: memcpy.3,v 1.14 2023/08/01 17:51:25 christos Exp $ +.\" $NetBSD: memcpy.3,v 1.15 2023/08/13 04:20:07 wiz Exp $ .\" .Dd August 1, 2023 .Dt MEMCPY 3 @@ -45,7 +45,7 @@ .Ft void * .Fn memcpy "void * restrict dst" "const void * restrict src" "size_t len" .Ft void * -.Fn mempcpy "void *restrict dst" "const void * restrict src" "size_t len" +.Fn mempcpy "void * restrict dst" "const void * restrict src" "size_t len" .Sh DESCRIPTION The .Fn memcpy @@ -67,11 +67,11 @@ The .Fn memcpy function returns the original value of +.Fa dst . .Pp The .Fn mempcpy function returns a pointer to the byte after the last written byte. -.Fa dst . .Sh SEE ALSO .Xr bcopy 3 , .Xr memccpy 3 ,
CVS commit: src/lib/libc/string
Module Name:src Committed By: wiz Date: Sun Aug 13 04:20:08 UTC 2023 Modified Files: src/lib/libc/string: memcpy.3 Log Message: memcpy: consistency in prototype and fix sentence To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/memcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:32:26 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Fix column sizing. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.14 src/lib/libc/string/strncpy.3:1.15 --- src/lib/libc/string/strncpy.3:1.14 Fri Aug 11 21:20:39 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:32:26 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.14 2023/08/11 21:20:39 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.15 2023/08/11 21:32:26 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -153,7 +153,7 @@ The following values for .Dv str result in the following corresponding contents of .Dv rec Ns Li "->name" : -.Bl -column -offset indent ".Li \*qabcdefghi\*q" ".Li \*qabc\e0\e0\e0\*q" +.Bl -column -offset indent ".Li \*qabcdefghi\e0\*q" ".Li \*qabc\e0\e0\e0\*q" .It Dv str Ta Dv rec Ns Li "->name" .It Li \*qabc\e0\*q Ta Li \*qabc\e0\e0\e0\*q .It Li \*qabc\e0\e0\e0\*q Ta Li \*qabc\e0\e0\e0\*q
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:32:26 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Fix column sizing. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:30:32 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): Tweak markup. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strlcpy.3 diff -u src/lib/libc/string/strlcpy.3:1.20 src/lib/libc/string/strlcpy.3:1.21 --- src/lib/libc/string/strlcpy.3:1.20 Fri Aug 11 21:20:39 2023 +++ src/lib/libc/string/strlcpy.3 Fri Aug 11 21:30:32 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: strlcpy.3,v 1.20 2023/08/11 21:20:39 riastradh Exp $ +.\" $NetBSD: strlcpy.3,v 1.21 2023/08/11 21:30:32 riastradh Exp $ .\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp .\" .\" Copyright (c) 1998, 2000 Todd C. Miller @@ -53,8 +53,8 @@ strings respectively. The .Fn strlcpy function copies up to -.Fa size -- 1 bytes from the +.Fa size Li "- 1" +bytes from the .Tn NUL Ns -terminated string .Fa src @@ -72,8 +72,8 @@ string to the end of .Fa dst . It will append at most -.Fa size -- strlen(dst) - 1 bytes, +.Fa size Li "-" Fn strlen dst Li "- 1" +bytes, .Tn NUL Ns -terminating the result. .Ss Relation to Xr strncpy 3 and Xr strncat 3
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:30:32 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): Tweak markup. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:20:39 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 strncpy.3 Log Message: strlcpy(3), strncpy(3): Omit needless (void) casts in examples. The return values are not critical. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/lib/libc/string/strlcpy.3 cvs rdiff -u -r1.13 -r1.14 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:20:39 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 strncpy.3 Log Message: strlcpy(3), strncpy(3): Omit needless (void) casts in examples. The return values are not critical. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/lib/libc/string/strlcpy.3 cvs rdiff -u -r1.13 -r1.14 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strlcpy.3 diff -u src/lib/libc/string/strlcpy.3:1.19 src/lib/libc/string/strlcpy.3:1.20 --- src/lib/libc/string/strlcpy.3:1.19 Fri Aug 11 21:17:16 2023 +++ src/lib/libc/string/strlcpy.3 Fri Aug 11 21:20:39 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: strlcpy.3,v 1.19 2023/08/11 21:17:16 riastradh Exp $ +.\" $NetBSD: strlcpy.3,v 1.20 2023/08/11 21:20:39 riastradh Exp $ .\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp .\" .\" Copyright (c) 1998, 2000 Todd C. Miller @@ -200,8 +200,8 @@ char *s, *p, buf[BUFSIZ]; \&... -(void)strlcpy(buf, s, sizeof(buf)); -(void)strlcat(buf, p, sizeof(buf)); +strlcpy(buf, s, sizeof(buf)); +strlcat(buf, p, sizeof(buf)); .Ed .Pp To detect truncation, perhaps while building a pathname, something Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.13 src/lib/libc/string/strncpy.3:1.14 --- src/lib/libc/string/strncpy.3:1.13 Fri Aug 11 21:17:16 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:20:39 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.13 2023/08/11 21:17:16 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.14 2023/08/11 21:20:39 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -207,7 +207,7 @@ is required it must be done explicitly: .Bd -literal -offset indent char buf[1024]; -(void)strncpy(buf, input, sizeof(buf) - 1); +strncpy(buf, input, sizeof(buf) - 1); buf[sizeof(buf) - 1] = '\e0'; .Ed .Pp @@ -222,7 +222,7 @@ this could be achieved using .Xr strlcpy 3 as follows: .Bd -literal -offset indent -(void)strlcpy(buf, input, sizeof(buf)); +strlcpy(buf, input, sizeof(buf)); .Ed .Pp Note that because
CVS commit: src/lib/libc/string
Module Name:src
Committed By: riastradh
Date: Fri Aug 11 21:17:16 UTC 2023
Modified Files:
src/lib/libc/string: strcpy.3 strlcpy.3 strncpy.3
Log Message:
strcpy(3), strlcpy(3), strncpy(3): Just say `byte', not `character'.
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/lib/libc/string/strcpy.3
cvs rdiff -u -r1.18 -r1.19 src/lib/libc/string/strlcpy.3
cvs rdiff -u -r1.12 -r1.13 src/lib/libc/string/strncpy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/strcpy.3
diff -u src/lib/libc/string/strcpy.3:1.26 src/lib/libc/string/strcpy.3:1.27
--- src/lib/libc/string/strcpy.3:1.26 Fri Aug 11 16:05:56 2023
+++ src/lib/libc/string/strcpy.3 Fri Aug 11 21:17:16 2023
@@ -30,7 +30,7 @@
.\" SUCH DAMAGE.
.\"
.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
-.\" $NetBSD: strcpy.3,v 1.26 2023/08/11 16:05:56 riastradh Exp $
+.\" $NetBSD: strcpy.3,v 1.27 2023/08/11 21:17:16 riastradh Exp $
.\"
.Dd August 11, 2023
.Dt STRCPY 3
@@ -59,7 +59,7 @@ to
.Fa dst ,
including the terminating
.Tn NUL
-character.
+byte.
.Pp
The strings
.Fa src
@@ -70,7 +70,7 @@ The string
.Fa src
must be terminated by a
.Tn NUL
-character.
+byte.
The memory for
.Fa dst
must have space for
@@ -86,7 +86,7 @@ The
.Fn stpcpy
function returns a pointer to the terminating
.Tn NUL
-character of
+byte of
.Fa dst .
.Sh SEE ALSO
.Xr bcopy 3 ,
Index: src/lib/libc/string/strlcpy.3
diff -u src/lib/libc/string/strlcpy.3:1.18 src/lib/libc/string/strlcpy.3:1.19
--- src/lib/libc/string/strlcpy.3:1.18 Fri Aug 11 16:34:28 2023
+++ src/lib/libc/string/strlcpy.3 Fri Aug 11 21:17:16 2023
@@ -1,4 +1,4 @@
-.\" $NetBSD: strlcpy.3,v 1.18 2023/08/11 16:34:28 riastradh Exp $
+.\" $NetBSD: strlcpy.3,v 1.19 2023/08/11 21:17:16 riastradh Exp $
.\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp
.\"
.\" Copyright (c) 1998, 2000 Todd C. Miller
@@ -54,7 +54,7 @@ The
.Fn strlcpy
function copies up to
.Fa size
-- 1 characters from the
+- 1 bytes from the
.Tn NUL Ns -terminated
string
.Fa src
@@ -175,7 +175,7 @@ Note however, that if
.Fn strlcat
traverses
.Fa size
-characters without finding a
+bytes without finding a
.Tn NUL ,
the length of the string is considered to be
.Fa size
@@ -217,7 +217,7 @@ if (strlcat(pname, file, sizeof(pname))
goto toolong;
.Ed
.Pp
-Since we know how many characters we copied the first time, we can
+Since we know how many bytes we copied the first time, we can
speed things up a bit by using a copy instead of an append:
.Bd -literal -offset indent
char *dir, *file, pname[MAXPATHLEN];
Index: src/lib/libc/string/strncpy.3
diff -u src/lib/libc/string/strncpy.3:1.12 src/lib/libc/string/strncpy.3:1.13
--- src/lib/libc/string/strncpy.3:1.12 Fri Aug 11 21:12:10 2023
+++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:17:16 2023
@@ -31,7 +31,7 @@
.\"
.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
.\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp
-.\" $NetBSD: strncpy.3,v 1.12 2023/08/11 21:12:10 riastradh Exp $
+.\" $NetBSD: strncpy.3,v 1.13 2023/08/11 21:17:16 riastradh Exp $
.\"
.Dd August 11, 2023
.Dt STRNCPY 3
@@ -136,7 +136,7 @@ appear on disk with the content of a cal
.Dv str ,
padded to the end of the field with
.Tn NUL
-characters:
+bytes:
.Bd -literal -offset indent
struct record {
uint16_t id;
@@ -168,7 +168,7 @@ Note that when
.Dv str
has at least six
.No non- Ns Tn NUL
-characters,
+bytes,
.Dv rec Ns Li "->name"
is
.Em not
@@ -184,12 +184,12 @@ has
.Em more
than six
.No non- Ns Tn NUL
-characters, the additional ones are truncated.
+bytes, the additional ones are truncated.
If
.Dv str
has space for
.Em fewer
-than six characters, and the last one is not
+than six bytes, and the last one is not
.Tn NUL ,
using
.Fn strncpy
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:17:16 UTC 2023 Modified Files: src/lib/libc/string: strcpy.3 strlcpy.3 strncpy.3 Log Message: strcpy(3), strlcpy(3), strncpy(3): Just say `byte', not `character'. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/lib/libc/string/strcpy.3 cvs rdiff -u -r1.18 -r1.19 src/lib/libc/string/strlcpy.3 cvs rdiff -u -r1.12 -r1.13 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:12:11 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Tiny wording tweak. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.11 src/lib/libc/string/strncpy.3:1.12 --- src/lib/libc/string/strncpy.3:1.11 Fri Aug 11 21:11:21 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:12:10 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.11 2023/08/11 21:11:21 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.12 2023/08/11 21:12:10 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -98,7 +98,7 @@ and .Fn strncpy write exactly .Fa len -bytes to it, including nonempty +bytes to it, which includes nonempty .Tn NUL padding only if a .Tn NUL
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:12:11 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Tiny wording tweak. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:11:21 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Reword to make sentence structure parallel. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.10 src/lib/libc/string/strncpy.3:1.11 --- src/lib/libc/string/strncpy.3:1.10 Fri Aug 11 21:10:26 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:11:21 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.10 2023/08/11 21:10:26 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.11 2023/08/11 21:11:21 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -76,9 +76,9 @@ The buffer .Fa src is not required to hold a .Tn NUL Ns -terminated -string on input; it is only required to have +string on input; it is only required .Em either -at least +to have at least .Fa len bytes allocated and initialized, .Em or
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:11:21 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Reword to make sentence structure parallel. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:10:27 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Fix typo -- stpncpy, not stpcpy which is different. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:10:27 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Fix typo -- stpncpy, not stpcpy which is different. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.9 src/lib/libc/string/strncpy.3:1.10 --- src/lib/libc/string/strncpy.3:1.9 Fri Aug 11 21:09:11 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:10:26 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.9 2023/08/11 21:09:11 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.10 2023/08/11 21:10:26 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -93,7 +93,7 @@ The buffer is not guaranteed to hold a .Tn NUL Ns -terminated string on output; -.Fn stpcpy +.Fn stpncpy and .Fn strncpy write exactly
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:09:11 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Take another whack at clarifying this. Emphasize the fixed-buffer nature of it, and that NUL-termination is neither required on input nor guaranteed on output. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.8 src/lib/libc/string/strncpy.3:1.9 --- src/lib/libc/string/strncpy.3:1.8 Fri Aug 11 16:04:25 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 21:09:11 2023 @@ -31,7 +31,7 @@ .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 .\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp -.\" $NetBSD: strncpy.3,v 1.8 2023/08/11 16:04:25 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.9 2023/08/11 21:09:11 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -39,7 +39,7 @@ .Sh NAME .Nm stpncpy , .Nm strncpy -.Nd copy fixed-width string buffers +.Nd copy fixed-width buffers with NUL padding .Sh LIBRARY .Lb libc .Sh SYNOPSIS @@ -53,37 +53,59 @@ The .Fn stpncpy and .Fn strncpy -functions copy at most +functions fill a +.Fa len Ns -byte +buffer at +.Fa dst +by copying up to .Fa len .No non- Ns Tn NUL -characters from +bytes from .Fa src -into -.Fa dst . -If -.Fa src -is less than -.Fa len -characters long before the first +followed by enough .Tn NUL -character, the remainder of -.Fa dst -is filled with -.Tn NUL -characters. -Otherwise, -.Fa dst -is -.Em not -terminated with a -.Tn NUL -character. +bytes \(em possibly zero of them \(em to pad the remainder. .Pp -The strings +The buffers .Fa src and .Fa dst may not overlap. +.Pp +The buffer +.Fa src +is not required to hold a +.Tn NUL Ns -terminated +string on input; it is only required to have +.Em either +at least +.Fa len +bytes allocated and initialized, +.Em or +to have a +.Tn NUL +byte if it is shorter than +.Fa len +bytes. +.Pp +The buffer +.Fa dst +is not guaranteed to hold a +.Tn NUL Ns -terminated +string on output; +.Fn stpcpy +and +.Fn strncpy +write exactly +.Fa len +bytes to it, including nonempty +.Tn NUL +padding only if a +.Tn NUL +byte appears in the first +.Fa len +bytes at +.Fa src . .Sh RETURN VALUES The .Fn strncpy @@ -92,21 +114,22 @@ function returns .Pp The .Fn stpncpy -function returns a pointer to the terminating -.Tn NUL -character of +function returns a pointer to the byte after the last +.No non- Ns Tn NUL +byte of .Fa dst . -If -.Fn stpncpy -does not terminate -.Fa dst -with a +This does not necessarily point to a .Tn NUL -character, it instead returns a pointer to -.Sm off -.Fa dst Li "[" Fa len Li "]" , -.Sm on -which may be one past the last element of an array. +byte; +.Fn stpncpy +may return +.Li \*(Am Ns Fa dst Ns Li "[" Fa len Ns Li "]" Ns , +if all +.Fa len +bytes starting at +.Fa src +are +.No non- Tn NUL . .Sh EXAMPLES The following logic fills a fixed-width field in a record that might appear on disk with the content of a caller-provided string
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 21:09:11 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Take another whack at clarifying this. Emphasize the fixed-buffer nature of it, and that NUL-termination is neither required on input nor guaranteed on output. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 16:34:28 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): Nix stray space between `NUL' and `-terminating'. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strlcpy.3 diff -u src/lib/libc/string/strlcpy.3:1.17 src/lib/libc/string/strlcpy.3:1.18 --- src/lib/libc/string/strlcpy.3:1.17 Fri Aug 11 16:06:10 2023 +++ src/lib/libc/string/strlcpy.3 Fri Aug 11 16:34:28 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: strlcpy.3,v 1.17 2023/08/11 16:06:10 uwe Exp $ +.\" $NetBSD: strlcpy.3,v 1.18 2023/08/11 16:34:28 riastradh Exp $ .\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp .\" .\" Copyright (c) 1998, 2000 Todd C. Miller @@ -74,7 +74,7 @@ to the end of It will append at most .Fa size - strlen(dst) - 1 bytes, -.Tn NUL -terminating +.Tn NUL Ns -terminating the result. .Ss Relation to Xr strncpy 3 and Xr strncat 3 Unlike
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 16:34:28 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): Nix stray space between `NUL' and `-terminating'. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: uwe Date: Fri Aug 11 16:06:10 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): don't use \*[Ge] for >= - it's wrong for source code In the PostScript output it produces the single mathematical "greater or equal" symbol, not the ">=". To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strlcpy.3 diff -u src/lib/libc/string/strlcpy.3:1.16 src/lib/libc/string/strlcpy.3:1.17 --- src/lib/libc/string/strlcpy.3:1.16 Fri Aug 11 15:36:17 2023 +++ src/lib/libc/string/strlcpy.3 Fri Aug 11 16:06:10 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: strlcpy.3,v 1.16 2023/08/11 15:36:17 riastradh Exp $ +.\" $NetBSD: strlcpy.3,v 1.17 2023/08/11 16:06:10 uwe Exp $ .\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp .\" .\" Copyright (c) 1998, 2000 Todd C. Miller @@ -226,9 +226,9 @@ size_t n; \&... n = strlcpy(pname, dir, sizeof(pname)); -if (n \*[Ge] sizeof(pname)) +if (n >= sizeof(pname)) goto toolong; -if (strlcpy(pname + n, file, sizeof(pname) - n) \*[Ge] sizeof(pname) - n) +if (strlcpy(pname + n, file, sizeof(pname) - n) >= sizeof(pname) - n) goto toolong; .Ed .Pp
CVS commit: src/lib/libc/string
Module Name:src Committed By: uwe Date: Fri Aug 11 16:06:10 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): don't use \*[Ge] for >= - it's wrong for source code In the PostScript output it produces the single mathematical "greater or equal" symbol, not the ">=". To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src
Committed By: riastradh
Date: Fri Aug 11 16:05:56 UTC 2023
Modified Files:
src/lib/libc/string: strcpy.3
Log Message:
strcpy(3): Note that strlcpy(3) is a safer replacement for strcpy(3).
Suggest snprintf("%s") as a more portable alternative too.
Note that both strlcpy and snprintf still require the input to be
NUL-terminated.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/lib/libc/string/strcpy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/strcpy.3
diff -u src/lib/libc/string/strcpy.3:1.25 src/lib/libc/string/strcpy.3:1.26
--- src/lib/libc/string/strcpy.3:1.25 Fri Aug 11 15:36:17 2023
+++ src/lib/libc/string/strcpy.3 Fri Aug 11 16:05:56 2023
@@ -30,7 +30,7 @@
.\" SUCH DAMAGE.
.\"
.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
-.\" $NetBSD: strcpy.3,v 1.25 2023/08/11 15:36:17 riastradh Exp $
+.\" $NetBSD: strcpy.3,v 1.26 2023/08/11 16:05:56 riastradh Exp $
.\"
.Dd August 11, 2023
.Dt STRCPY 3
@@ -126,3 +126,27 @@ terminator, or the input string is longe
can lead to crashes or security vulnerabilities from buffer overruns,
including disclosure of secrets in memory and arbitrary code
execution.
+.Pp
+The
+.Xr strlcpy 3
+function is a safer replacement for
+.Fn strcpy
+which allows the caller to specify the space allocated for
+.Fa dst .
+.Xr strlcpy 3 ,
+or
+.Xr snprintf 3
+with a format string of
+.Li \*q%s\*q ,
+should be used instead of
+.Fn strcpy
+and
+.Fn stpcpy
+wherever possible to avoid buffer overruns in
+.Fa dst .
+.Po
+However, they still require
+.Fa src
+to be
+.Tn NUL Ns -terminated .
+.Pc
CVS commit: src/lib/libc/string
Module Name:src
Committed By: riastradh
Date: Fri Aug 11 16:05:56 UTC 2023
Modified Files:
src/lib/libc/string: strcpy.3
Log Message:
strcpy(3): Note that strlcpy(3) is a safer replacement for strcpy(3).
Suggest snprintf("%s") as a more portable alternative too.
Note that both strlcpy and snprintf still require the input to be
NUL-terminated.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/lib/libc/string/strcpy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 16:04:25 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Rework the example in an attempt to improve exposition. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src
Committed By: riastradh
Date: Fri Aug 11 16:04:25 UTC 2023
Modified Files:
src/lib/libc/string: strncpy.3
Log Message:
strncpy(3): Rework the example in an attempt to improve exposition.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/lib/libc/string/strncpy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/strncpy.3
diff -u src/lib/libc/string/strncpy.3:1.7 src/lib/libc/string/strncpy.3:1.8
--- src/lib/libc/string/strncpy.3:1.7 Fri Aug 11 15:37:55 2023
+++ src/lib/libc/string/strncpy.3 Fri Aug 11 16:04:25 2023
@@ -31,7 +31,7 @@
.\"
.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
.\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp
-.\" $NetBSD: strncpy.3,v 1.7 2023/08/11 15:37:55 riastradh Exp $
+.\" $NetBSD: strncpy.3,v 1.8 2023/08/11 16:04:25 riastradh Exp $
.\"
.Dd August 11, 2023
.Dt STRNCPY 3
@@ -108,52 +108,79 @@ character, it instead returns a pointer
.Sm on
which may be one past the last element of an array.
.Sh EXAMPLES
-The following sets
-.Va chararray
-to
-.Li \*qabc\e0\e0\e0\*q :
-.Bd -literal -offset indent
-char chararray[6];
-
-(void)strncpy(chararray, "abc", sizeof(chararray));
-.Ed
-.Pp
-The following sets
-.Va chararray
-to
-.Li \*qabcdef\*q :
+The following logic fills a fixed-width field in a record that might
+appear on disk with the content of a caller-provided string
+.Dv str ,
+padded to the end of the field with
+.Tn NUL
+characters:
.Bd -literal -offset indent
-char chararray[6];
+struct record {
+ uint16_t id;
+ char name[6];
+ uint8_t tag;
+ ...
+};
-(void)strncpy(chararray, "abcdefgh", sizeof(chararray));
+struct record *rec = ...;
+strncpy(rec->name, str, sizeof(rec->name));
.Ed
.Pp
-Note that it does
+The following values for
+.Dv str
+result in the following corresponding contents of
+.Dv rec Ns Li "->name" :
+.Bl -column -offset indent ".Li \*qabcdefghi\*q" ".Li \*qabc\e0\e0\e0\*q"
+.It Dv str Ta Dv rec Ns Li "->name"
+.It Li \*qabc\e0\*q Ta Li \*qabc\e0\e0\e0\*q
+.It Li \*qabc\e0\e0\e0\*q Ta Li \*qabc\e0\e0\e0\*q
+.It Li \*qabcde\e0\*q Ta Li \*qabcde\e0\*q
+.It Li \*qabcdef\e0\*q Ta Li \*qabcdef\*q
+.It Li \*qabcdef\*q Ta Li \*qabcdef\*q
+.It Li \*qabcdefghi\e0\*q Ta Li \*qabcdef\*q
+.It Li \*qabcdefghi\*q Ta Li \*qabcdef\*q
+.El
+.Pp
+Note that when
+.Dv str
+has at least six
+.No non- Ns Tn NUL
+characters,
+.Dv rec Ns Li "->name"
+is
.Em not
-.Tn NUL Ns -terminate
-.Va chararray
-because the length of the source string is greater than or equal
-to the length parameter.
-.Fn strncpy
-.Em only
-.Tn NUL Ns -terminates
-the destination string when the length of the source
-string is less than the length parameter.
-.Pp
-The following copies as many characters from
-.Va input
-to
-.Va buf
-as will fit and
-.Tn NUL Ns -terminates
-the result.
+.Tn NUL Ns -terminated
+\(em it is only
+.Em padded
+with (possibly zero)
+.Tn NUL
+bytes to fill the fixed-width buffer.
+When
+.Dv str
+has
+.Em more
+than six
+.No non- Ns Tn NUL
+characters, the additional ones are truncated.
+If
+.Dv str
+has space for
+.Em fewer
+than six characters, and the last one is not
+.Tn NUL ,
+using
+.Fn strncpy
+is undefined.
+.Pp
Because
.Fn strncpy
does
.Em not
guarantee to
.Tn NUL Ns -terminate
-the string itself, this must be done explicitly.
+the result, if
+.Tn NUL Ns -termination
+is required it must be done explicitly:
.Bd -literal -offset indent
char buf[1024];
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 15:37:55 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Note strcpy(3) man page revision this forked from. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 15:37:55 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Note strcpy(3) man page revision this forked from. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.6 src/lib/libc/string/strncpy.3:1.7 --- src/lib/libc/string/strncpy.3:1.6 Fri Aug 11 15:36:17 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 15:37:55 2023 @@ -30,7 +30,8 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strncpy.3,v 1.6 2023/08/11 15:36:17 riastradh Exp $ +.\" from: NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp +.\" $NetBSD: strncpy.3,v 1.7 2023/08/11 15:37:55 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 15:36:17 UTC 2023 Modified Files: src/lib/libc/string: strcpy.3 strlcpy.3 strncpy.3 Log Message: strcpy(3), strlcpy(3), strncpy(3): Use `.Tn NUL' for the zero byte. Let's be consistent within these man pages. (If someone else really likes the unpronounceable `.Ql \e0' better, that's fine, you can go through and systematically change all the man pages to use that after we're done clarifying strcpy(3), strncpy(3), and strlcpy(3).) To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/lib/libc/string/strcpy.3 cvs rdiff -u -r1.15 -r1.16 src/lib/libc/string/strlcpy.3 cvs rdiff -u -r1.5 -r1.6 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strcpy.3 diff -u src/lib/libc/string/strcpy.3:1.24 src/lib/libc/string/strcpy.3:1.25 --- src/lib/libc/string/strcpy.3:1.24 Fri Aug 11 09:39:39 2023 +++ src/lib/libc/string/strcpy.3 Fri Aug 11 15:36:17 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strcpy.3,v 1.24 2023/08/11 09:39:39 riastradh Exp $ +.\" $NetBSD: strcpy.3,v 1.25 2023/08/11 15:36:17 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRCPY 3 @@ -58,7 +58,7 @@ copy the string to .Fa dst , including the terminating -.Ql \e0 +.Tn NUL character. .Pp The strings @@ -69,7 +69,7 @@ may not overlap. The string .Fa src must be terminated by a -.Ql \e0 +.Tn NUL character. The memory for .Fa dst @@ -85,7 +85,7 @@ function returns The .Fn stpcpy function returns a pointer to the terminating -.Ql \e0 +.Tn NUL character of .Fa dst . .Sh SEE ALSO @@ -117,11 +117,11 @@ The and .Fn stpcpy functions copy until a -.Ql \e0 +.Tn NUL terminator without any bounds checks on the size of the input or output buffers. If the input buffer is missing a -.Ql \e0 +.Tn NUL terminator, or the input string is longer than the output buffer, this can lead to crashes or security vulnerabilities from buffer overruns, including disclosure of secrets in memory and arbitrary code Index: src/lib/libc/string/strlcpy.3 diff -u src/lib/libc/string/strlcpy.3:1.15 src/lib/libc/string/strlcpy.3:1.16 --- src/lib/libc/string/strlcpy.3:1.15 Fri Aug 11 08:15:30 2023 +++ src/lib/libc/string/strlcpy.3 Fri Aug 11 15:36:17 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: strlcpy.3,v 1.15 2023/08/11 08:15:30 riastradh Exp $ +.\" $NetBSD: strlcpy.3,v 1.16 2023/08/11 15:36:17 riastradh Exp $ .\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp .\" .\" Copyright (c) 1998, 2000 Todd C. Miller @@ -46,27 +46,36 @@ The .Fn strlcpy and .Fn strlcat -functions copy and concatenate NUL-terminated strings respectively. +functions copy and concatenate +.Tn NUL Ns -terminated +strings respectively. .Pp The .Fn strlcpy function copies up to .Fa size -- 1 characters from the NUL-terminated string +- 1 characters from the +.Tn NUL Ns -terminated +string .Fa src to .Fa dst , -NUL-terminating the result. +.Tn NUL Ns -terminating +the result. .Pp The .Fn strlcat -function appends the NUL-terminated string +function appends the +.Tn NUL Ns -terminated +string .Fa src to the end of .Fa dst . It will append at most .Fa size -- strlen(dst) - 1 bytes, NUL-terminating the result. +- strlen(dst) - 1 bytes, +.Tn NUL -terminating +the result. .Ss Relation to Xr strncpy 3 and Xr strncat 3 Unlike .Xr strncpy 3 @@ -76,13 +85,16 @@ and and .Fn strlcat are guaranteed to -NUL-terminate the result (as long as +.Tn NUL Ns -terminate +the result (as long as .Fa size is larger than 0 or, in the case of .Fn strlcat , as long as there is at least one byte free in .Fa dst ) . -Note that you should include a byte for the NUL in +Note that you should include a byte for the +.Tn NUL +in .Fa size . .Pp .Sy WARNING : @@ -113,16 +125,22 @@ strings. This means that for .Fn strlcpy .Fa src -must be NUL-terminated and for +must be +.Tn NUL Ns -terminated +and for .Fn strlcat both .Fa src and .Fa dst -must be NUL-terminated. +must be +.Tn NUL Ns -terminated . Applications handling fixed-width fields with .Pq possibly empty -NUL padding, instead of NUL-terminated C strings, MUST use +.Tn NUL +padding, instead of +.Tn NUL Ns -terminated +C strings, MUST use .Xr strncpy 3 and .Xr strncat 3 @@ -157,11 +175,13 @@ Note however, that if .Fn strlcat traverses .Fa size -characters without finding a NUL, the length of the string is considered -to be +characters without finding a +.Tn NUL , +the length of the string is considered to be .Fa size -and the destination string will not be NUL-terminated (since there was -no space for the NUL). +and the destination string will not be +.Tn NUL Ns -terminated +.Pq since there was no space for the Tn NUL . This keeps .Fn strlcat from running off the end of a string. Index: src/lib/libc/string/strncpy.3 diff -u sr
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 15:36:17 UTC 2023 Modified Files: src/lib/libc/string: strcpy.3 strlcpy.3 strncpy.3 Log Message: strcpy(3), strlcpy(3), strncpy(3): Use `.Tn NUL' for the zero byte. Let's be consistent within these man pages. (If someone else really likes the unpronounceable `.Ql \e0' better, that's fine, you can go through and systematically change all the man pages to use that after we're done clarifying strcpy(3), strncpy(3), and strlcpy(3).) To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/lib/libc/string/strcpy.3 cvs rdiff -u -r1.15 -r1.16 src/lib/libc/string/strlcpy.3 cvs rdiff -u -r1.5 -r1.6 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: uwe Date: Fri Aug 11 13:18:24 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): markup tweaks NUL is a character name, not a defined name, use .Tn .Ns has implicit .No effect Use \*q for ASCII quotes (.Dq uses fancy typographical ones) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.4 src/lib/libc/string/strncpy.3:1.5 --- src/lib/libc/string/strncpy.3:1.4 Fri Aug 11 13:10:59 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 13:18:24 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strncpy.3,v 1.4 2023/08/11 13:10:59 uwe Exp $ +.\" $NetBSD: strncpy.3,v 1.5 2023/08/11 13:18:24 uwe Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -110,7 +110,7 @@ which may be one past the last element o The following sets .Va chararray to -.Dq Li abc\e0\e0\e0 : +.Li \*qabc\e0\e0\e0\*q : .Bd -literal -offset indent char chararray[6]; @@ -120,7 +120,7 @@ char chararray[6]; The following sets .Va chararray to -.Dq Li abcdef : +.Li \*qabcdef\*q : .Bd -literal -offset indent char chararray[6]; @@ -129,13 +129,13 @@ char chararray[6]; .Pp Note that it does .Em not -.Dv NUL Ns No -terminate +.Tn NUL Ns -terminate .Va chararray because the length of the source string is greater than or equal to the length parameter. .Fn strncpy .Em only -.Dv NUL Ns No -terminates +.Tn NUL Ns -terminates the destination string when the length of the source string is less than the length parameter. .Pp @@ -144,14 +144,14 @@ The following copies as many characters to .Va buf as will fit and -.Dv NUL Ns No -terminates +.Tn NUL Ns -terminates the result. Because .Fn strncpy does .Em not guarantee to -.Dv NUL Ns No -terminate +.Tn NUL Ns -terminate the string itself, this must be done explicitly. .Bd -literal -offset indent char buf[1024]; @@ -162,7 +162,11 @@ buf[sizeof(buf) - 1] = '\e0'; .Pp If .Va buf -need only be be NUL-terminated, not fully initialized with NUL padding, +need only be +.Tn NUL Ns -terminated , +not fully initialized with +.Tn NUL +padding, this could be achieved using .Xr strlcpy 3 as follows: @@ -182,7 +186,9 @@ does not fully initialize .Fa dst , it is .Em not -a safe NUL-terminating replacement for +a safe +.Tn NUL Ns -terminating +replacement for .Fn strncpy if the buffer is not separately zero-initialized. Naively replacing @@ -218,4 +224,6 @@ The .Fn stpncpy and .Fn strncpy -functions are not guaranteed to NUL-terminate the result. +functions are not guaranteed to +.Tn NUL Ns -terminate +the result.
CVS commit: src/lib/libc/string
Module Name:src Committed By: uwe Date: Fri Aug 11 13:18:24 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): markup tweaks NUL is a character name, not a defined name, use .Tn .Ns has implicit .No effect Use \*q for ASCII quotes (.Dq uses fancy typographical ones) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: uwe Date: Fri Aug 11 13:10:59 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): use .Sm off/on around a fancy expression to avoid lots of Ns To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.3 src/lib/libc/string/strncpy.3:1.4 --- src/lib/libc/string/strncpy.3:1.3 Fri Aug 11 12:26:59 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 13:10:59 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strncpy.3,v 1.3 2023/08/11 12:26:59 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.4 2023/08/11 13:10:59 uwe Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -102,7 +102,9 @@ does not terminate with a .Ql \e0 character, it instead returns a pointer to -.Fa dst Ns Li "[" Fa len Ns Li "]" Ns , +.Sm off +.Fa dst Li "[" Fa len Li "]" , +.Sm on which may be one past the last element of an array. .Sh EXAMPLES The following sets
CVS commit: src/lib/libc/string
Module Name:src Committed By: uwe Date: Fri Aug 11 13:10:59 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): use .Sm off/on around a fancy expression to avoid lots of Ns To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src
Committed By: ryoon
Date: Fri Aug 11 13:07:17 UTC 2023
Modified Files:
src/lib/libc/string: Makefile.inc
Log Message:
Install strncpy.3 to fix build
To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 src/lib/libc/string/Makefile.inc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/Makefile.inc
diff -u src/lib/libc/string/Makefile.inc:1.88 src/lib/libc/string/Makefile.inc:1.89
--- src/lib/libc/string/Makefile.inc:1.88 Fri Aug 11 09:39:39 2023
+++ src/lib/libc/string/Makefile.inc Fri Aug 11 13:07:17 2023
@@ -1,5 +1,5 @@
# from: @(#)Makefile.inc 8.1 (Berkeley) 6/4/93
-# $NetBSD: Makefile.inc,v 1.88 2023/08/11 09:39:39 riastradh Exp $
+# $NetBSD: Makefile.inc,v 1.89 2023/08/11 13:07:17 ryoon Exp $
# string sources
.PATH: ${ARCHDIR}/string ${.CURDIR}/string
@@ -48,7 +48,7 @@ MAN+= bm.3 bcmp.3 bcopy.3 bstring.3 bzer
popcount.3 \
rindex.3 strcasecmp.3 strcat.3 strchr.3 strcmp.3 strcoll.3 \
strcpy.3 strcspn.3 strdup.3 strerror.3 string.3 strings.3 strlcpy.3 \
- strlen.3 strmode.3 strpbrk.3 strrchr.3 strsep.3 \
+ strlen.3 strmode.3 strncpy.3 strpbrk.3 strrchr.3 strsep.3 \
strsignal.3 strspn.3 strstr.3 strtok.3 strxfrm.3 \
swab.3 wcstok.3 wcswidth.3 wmemchr.3 wcsdup.3 wcscasecmp.3
CVS commit: src/lib/libc/string
Module Name:src Committed By: ryoon Date: Fri Aug 11 13:07:17 UTC 2023 Modified Files: src/lib/libc/string: Makefile.inc Log Message: Install strncpy.3 to fix build To generate a diff of this commit: cvs rdiff -u -r1.88 -r1.89 src/lib/libc/string/Makefile.inc Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 12:26:59 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Slightly more consistency about NUL vs '\0' in the text. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.2 src/lib/libc/string/strncpy.3:1.3 --- src/lib/libc/string/strncpy.3:1.2 Fri Aug 11 11:51:54 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 12:26:59 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strncpy.3,v 1.2 2023/08/11 11:51:54 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.3 2023/08/11 12:26:59 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -100,7 +100,7 @@ If does not terminate .Fa dst with a -.Dv NUL +.Ql \e0 character, it instead returns a pointer to .Fa dst Ns Li "[" Fa len Ns Li "]" Ns , which may be one past the last element of an array.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 12:26:59 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Slightly more consistency about NUL vs '\0' in the text. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 11:51:54 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Qualify example of strlcpy(3) with a major caveat. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 11:51:54 UTC 2023 Modified Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3): Qualify example of strlcpy(3) with a major caveat. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strncpy.3 diff -u src/lib/libc/string/strncpy.3:1.1 src/lib/libc/string/strncpy.3:1.2 --- src/lib/libc/string/strncpy.3:1.1 Fri Aug 11 09:39:39 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 11:51:54 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strncpy.3,v 1.1 2023/08/11 09:39:39 riastradh Exp $ +.\" $NetBSD: strncpy.3,v 1.2 2023/08/11 11:51:54 riastradh Exp $ .\" .Dd August 11, 2023 .Dt STRNCPY 3 @@ -158,9 +158,12 @@ char buf[1024]; buf[sizeof(buf) - 1] = '\e0'; .Ed .Pp -This could be better and more simply achieved using -.Xr strlcpy 3 , -as shown in the following example: +If +.Va buf +need only be be NUL-terminated, not fully initialized with NUL padding, +this could be achieved using +.Xr strlcpy 3 +as follows: .Bd -literal -offset indent (void)strlcpy(buf, input, sizeof(buf)); .Ed @@ -169,6 +172,22 @@ Note that because .Xr strlcpy 3 is not defined in any standards, it should only be used when portability is not a concern. +.Pp +.Sy WARNING : +Because +.Xr strlcpy 3 +does not fully initialize +.Fa dst , +it is +.Em not +a safe NUL-terminating replacement for +.Fn strncpy +if the buffer is not separately zero-initialized. +Naively replacing +.Fn strncpy +by +.Xr strlcpy 3 +can lead to disclosure of secrets from uninitialized memory. .Sh SEE ALSO .Xr bcopy 3 , .Xr memccpy 3 ,
CVS commit: src/lib/libc/string
Module Name:src
Committed By: riastradh
Date: Fri Aug 11 09:39:39 UTC 2023
Modified Files:
src/lib/libc/string: Makefile.inc strcpy.3
Added Files:
src/lib/libc/string: strncpy.3
Log Message:
strncpy(3), stpncpy(3): Split man page out of strcpy(3), stpcpy(3).
These are for substantively different purposes (fixed-width fields
with optional NUL padding vs NUL-terminated strings), so they don't
belong together.
Be more specific about the security issues.
To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/lib/libc/string/Makefile.inc
cvs rdiff -u -r1.23 -r1.24 src/lib/libc/string/strcpy.3
cvs rdiff -u -r0 -r1.1 src/lib/libc/string/strncpy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/Makefile.inc
diff -u src/lib/libc/string/Makefile.inc:1.87 src/lib/libc/string/Makefile.inc:1.88
--- src/lib/libc/string/Makefile.inc:1.87 Tue Aug 1 17:51:25 2023
+++ src/lib/libc/string/Makefile.inc Fri Aug 11 09:39:39 2023
@@ -1,5 +1,5 @@
# from: @(#)Makefile.inc 8.1 (Berkeley) 6/4/93
-# $NetBSD: Makefile.inc,v 1.87 2023/08/01 17:51:25 christos Exp $
+# $NetBSD: Makefile.inc,v 1.88 2023/08/11 09:39:39 riastradh Exp $
# string sources
.PATH: ${ARCHDIR}/string ${.CURDIR}/string
@@ -60,9 +60,10 @@ MLINKS+=popcount.3 popcount64.3
MLINKS+=strcasecmp.3 strncasecmp.3
MLINKS+=strcat.3 strncat.3
MLINKS+=strcmp.3 strncmp.3
-MLINKS+=strcpy.3 strncpy.3 strcpy.3 stpcpy.3 strcpy.3 stpncpy.3
+MLINKS+=strcpy.3 stpcpy.3
MLINKS+=strlcpy.3 strlcat.3
MLINKS+=strlen.3 strnlen.3
+MLINKS+=strncpy.3 stpncpy.3
MLINKS+=strstr.3 strcasestr.3
MLINKS+=strstr.3 strnstr.3
MLINKS+=strchr.3 strchrnul.3
Index: src/lib/libc/string/strcpy.3
diff -u src/lib/libc/string/strcpy.3:1.23 src/lib/libc/string/strcpy.3:1.24
--- src/lib/libc/string/strcpy.3:1.23 Wed Apr 1 20:18:17 2015
+++ src/lib/libc/string/strcpy.3 Fri Aug 11 09:39:39 2023
@@ -30,16 +30,14 @@
.\" SUCH DAMAGE.
.\"
.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
-.\" $NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp $
+.\" $NetBSD: strcpy.3,v 1.24 2023/08/11 09:39:39 riastradh Exp $
.\"
-.Dd April 1, 2015
+.Dd August 11, 2023
.Dt STRCPY 3
.Os
.Sh NAME
.Nm stpcpy ,
-.Nm stpncpy ,
-.Nm strcpy ,
-.Nm strncpy
+.Nm strcpy
.Nd copy strings
.Sh LIBRARY
.Lb libc
@@ -48,11 +46,7 @@
.Ft char *
.Fn stpcpy "char * restrict dst" "const char * restrict src"
.Ft char *
-.Fn stpncpy "char * restrict dst" "const char * restrict src" "size_t len"
-.Ft char *
.Fn strcpy "char * restrict dst" "const char * restrict src"
-.Ft char *
-.Fn strncpy "char * restrict dst" "const char * restrict src" "size_t len"
.Sh DESCRIPTION
The
.Fn stpcpy
@@ -62,165 +56,73 @@ functions
copy the string
.Fa src
to
-.Fa dst
-(including the terminating
-.Ql \e0
-character).
-.Pp
-The
-.Fn stpncpy
-and
-.Fn strncpy
-functions copy at most
-.Fa len
-characters from
-.Fa src
-into
-.Fa dst .
-If
-.Fa src
-is less than
-.Fa len
-characters long,
-the remainder of
-.Fa dst
-is filled with
+.Fa dst ,
+including the terminating
.Ql \e0
-characters.
-Otherwise,
-.Fa dst
-is
-.Em not
-terminated.
+character.
.Pp
The strings
.Fa src
and
.Fa dst
may not overlap.
+The string
+.Fa src
+must be terminated by a
+.Ql \e0
+character.
+The memory for
+.Fa dst
+must have space for
+.Fn strlen src Li "+ 1"
+bytes.
.Sh RETURN VALUES
The
.Fn strcpy
-and
-.Fn strncpy
-functions
-return
+function returns
.Fa dst .
+.Pp
The
.Fn stpcpy
-and
-.Fn stpncpy
-functions return a pointer to the terminating
+function returns a pointer to the terminating
.Ql \e0
character of
.Fa dst .
-If
-.Fn stpncpy
-does not terminate
-.Fa dst
-with a
-.Dv NUL
-character, it instead returns a pointer to
-.Li dst[len]
-(which does not necessarily refer to a valid memory location.)
-.Sh EXAMPLES
-The following sets
-.Va chararray
-to
-.Dq Li abc\e0\e0\e0 :
-.Bd -literal -offset indent
-char chararray[6];
-
-(void)strncpy(chararray, "abc", sizeof(chararray));
-.Ed
-.Pp
-The following sets
-.Va chararray
-to
-.Dq Li abcdef :
-.Bd -literal -offset indent
-char chararray[6];
-
-(void)strncpy(chararray, "abcdefgh", sizeof(chararray));
-.Ed
-.Pp
-Note that it does
-.Em not
-.Dv NUL Ns No -terminate
-.Va chararray
-because the length of the source string is greater than or equal
-to the length parameter.
-.Fn strncpy
-.Em only
-.Dv NUL Ns No -terminates
-the destination string when the length of the source
-string is less than the length parameter.
-.Pp
-The following copies as many characters from
-.Va input
-to
-.Va buf
-as will fit and
-.Dv NUL Ns No -terminates
-the result.
-Because
-.Fn strncpy
-does
-.Em not
-guarantee to
-.Dv NUL Ns No -terminate
-the string itself, this must be done explicitly.
-.Bd -literal -offset indent
-char buf[1024];
-
-(void)strncpy(buf, input, sizeof(buf) - 1);
-buf[sizeof(buf) - 1] = '\e0';
-.Ed
-.Pp
-This could be better and more simply achieved u
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 09:39:39 UTC 2023 Modified Files: src/lib/libc/string: Makefile.inc strcpy.3 Added Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3), stpncpy(3): Split man page out of strcpy(3), stpcpy(3). These are for substantively different purposes (fixed-width fields with optional NUL padding vs NUL-terminated strings), so they don't belong together. Be more specific about the security issues. To generate a diff of this commit: cvs rdiff -u -r1.87 -r1.88 src/lib/libc/string/Makefile.inc cvs rdiff -u -r1.23 -r1.24 src/lib/libc/string/strcpy.3 cvs rdiff -u -r0 -r1.1 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 08:15:30 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): Rework man page to clarify relation to strncpy(3). Add caveats explaining when strlcpy(3) and strlcat(3) are dangerously inadequate or inappropriate. XXX pullup-10 XXX pullup-9 XXX pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strlcpy.3 diff -u src/lib/libc/string/strlcpy.3:1.14 src/lib/libc/string/strlcpy.3:1.15 --- src/lib/libc/string/strlcpy.3:1.14 Sun Aug 28 10:48:16 2022 +++ src/lib/libc/string/strlcpy.3 Fri Aug 11 08:15:30 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: strlcpy.3,v 1.14 2022/08/28 10:48:16 hgutch Exp $ +.\" $NetBSD: strlcpy.3,v 1.15 2023/08/11 08:15:30 riastradh Exp $ .\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp .\" .\" Copyright (c) 1998, 2000 Todd C. Miller @@ -26,7 +26,7 @@ .\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 1, 2001 +.Dd August 11, 2023 .Dt STRLCPY 3 .Os .Sh NAME @@ -46,17 +46,36 @@ The .Fn strlcpy and .Fn strlcat -functions copy and concatenate strings respectively. -They are designed -to be safer, more consistent, and less error prone replacements for +functions copy and concatenate NUL-terminated strings respectively. +.Pp +The +.Fn strlcpy +function copies up to +.Fa size +- 1 characters from the NUL-terminated string +.Fa src +to +.Fa dst , +NUL-terminating the result. +.Pp +The +.Fn strlcat +function appends the NUL-terminated string +.Fa src +to the end of +.Fa dst . +It will append at most +.Fa size +- strlen(dst) - 1 bytes, NUL-terminating the result. +.Ss Relation to Xr strncpy 3 and Xr strncat 3 +Unlike .Xr strncpy 3 and -.Xr strncat 3 . -Unlike those functions, +.Xr strncat 3 , .Fn strlcpy and .Fn strlcat -take the full size of the buffer (not just the length) and guarantee to +are guaranteed to NUL-terminate the result (as long as .Fa size is larger than 0 or, in the case of @@ -65,7 +84,26 @@ as long as there is at least one byte fr .Fa dst ) . Note that you should include a byte for the NUL in .Fa size . -Also note that +.Pp +.Sy WARNING : +Also unlike +.Xr strncpy 3 +and +.Xr strncat 3 , +.Fn strlcpy +and +.Fn strlcat +are not guaranteed to initialize all +.Fa size +bytes of +.Fa dst +\(em bytes past +.Fa dst Ns Li "[" Fn strlen src Li "+ 1" Ns Li "]" +are left uninitialized. +This can lead to security vulnerabilities such as leaking secrets from +uninitialized stack or heap buffers. +.Pp +.Sy WARNING : .Fn strlcpy and .Fn strlcat @@ -82,26 +120,19 @@ both and .Fa dst must be NUL-terminated. -.Pp -The +Applications handling fixed-width fields with +.Pq possibly empty +NUL padding, instead of NUL-terminated C strings, MUST use +.Xr strncpy 3 +and +.Xr strncat 3 +instead. +Attempting to use .Fn strlcpy -function copies up to -.Fa size -- 1 characters from the NUL-terminated string -.Fa src -to -.Fa dst , -NUL-terminating the result. -.Pp -The +or .Fn strlcat -function appends the NUL-terminated string -.Fa src -to the end of -.Fa dst . -It will append at most -.Fa size -- strlen(dst) - 1 bytes, NUL-terminating the result. +for these cases can lead to crashes or security vulnerabilities from +buffer overruns. .Sh RETURN VALUES The .Fn strlcpy
CVS commit: src/lib/libc/string
Module Name:src Committed By: riastradh Date: Fri Aug 11 08:15:30 UTC 2023 Modified Files: src/lib/libc/string: strlcpy.3 Log Message: strlcpy(3): Rework man page to clarify relation to strncpy(3). Add caveats explaining when strlcpy(3) and strlcat(3) are dangerously inadequate or inappropriate. XXX pullup-10 XXX pullup-9 XXX pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/strlcpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src Committed By: simonb Date: Tue Jan 31 01:42:32 UTC 2023 Modified Files: src/lib/libc/string: strchr.3 Log Message: Note that strchrnul() first appeared in glibc 2.1.1 and appeared in FreeBSD 10 before it appeared in NetBSD 8. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/strchr.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/string/strchr.3 diff -u src/lib/libc/string/strchr.3:1.14 src/lib/libc/string/strchr.3:1.15 --- src/lib/libc/string/strchr.3:1.14 Thu Nov 26 23:13:55 2020 +++ src/lib/libc/string/strchr.3 Tue Jan 31 01:42:32 2023 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strchr.3 8.2 (Berkeley) 4/19/94 -.\" $NetBSD: strchr.3,v 1.14 2020/11/26 23:13:55 rillig Exp $ +.\" $NetBSD: strchr.3,v 1.15 2023/01/31 01:42:32 simonb Exp $ .\" .Dd November 27, 2020 .Dt STRCHR 3 @@ -109,7 +109,10 @@ The function conforms to .St -ansiC . -.The +.Sh HISTORY +The .Fn strchrnul -function appeared in +first appeared in glibc 2.1.1 and was added to +.Fx 10 +and .Nx 8 .
CVS commit: src/lib/libc/string
Module Name:src Committed By: simonb Date: Tue Jan 31 01:42:32 UTC 2023 Modified Files: src/lib/libc/string: strchr.3 Log Message: Note that strchrnul() first appeared in glibc 2.1.1 and appeared in FreeBSD 10 before it appeared in NetBSD 8. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libc/string/strchr.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src
Committed By: kre
Date: Wed Dec 28 14:32:04 UTC 2022
Modified Files:
src/lib/libc/string: swab.c
Log Message:
PR lib/57141 - never decrement len without actually performing a STEP.
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/lib/libc/string/swab.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/swab.c
diff -u src/lib/libc/string/swab.c:1.18 src/lib/libc/string/swab.c:1.19
--- src/lib/libc/string/swab.c:1.18 Tue Jan 4 17:14:07 2011
+++ src/lib/libc/string/swab.c Wed Dec 28 14:32:04 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: swab.c,v 1.18 2011/01/04 17:14:07 martin Exp $ */
+/* $NetBSD: swab.c,v 1.19 2022/12/28 14:32:04 kre Exp $ */
/*
* Copyright (c) 1988, 1993
@@ -37,7 +37,7 @@
#if 0
static char sccsid[] = "@(#)swab.c 8.1 (Berkeley) 6/4/93";
#else
-__RCSID("$NetBSD: swab.c,v 1.18 2011/01/04 17:14:07 martin Exp $");
+__RCSID("$NetBSD: swab.c,v 1.19 2022/12/28 14:32:04 kre Exp $");
#endif
#endif /* LIBC_SCCS and not lint */
@@ -68,8 +68,8 @@ swab(const void * __restrict from, void
}
/* round to multiple of 8 */
- while ((--len % 8) != 0)
- STEP;
+ while ((len % 8) != 0)
+ len--, STEP;
len /= 8;
if (len == 0)
return;
CVS commit: src/lib/libc/string
Module Name:src Committed By: kre Date: Wed Dec 28 14:32:04 UTC 2022 Modified Files: src/lib/libc/string: swab.c Log Message: PR lib/57141 - never decrement len without actually performing a STEP. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/lib/libc/string/swab.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/lib/libc/string
On Fri, Oct 29, 2021 at 10:11:57AM +, Nia Alarie wrote: > Module Name: src > Committed By: nia > Date: Fri Oct 29 10:11:57 UTC 2021 > > Modified Files: > src/lib/libc/string: wcsdup.c > > Log Message: > wcsdup(3): use reallocarr to catch integer overflow Except that no such integer overflow can happen, since the input string already has done the same computation. Joerg
CVS commit: src/lib/libc/string
Module Name:src Committed By: nia Date: Fri Oct 29 10:11:57 UTC 2021 Modified Files: src/lib/libc/string: wcsdup.c Log Message: wcsdup(3): use reallocarr to catch integer overflow To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libc/string/wcsdup.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libc/string
Module Name:src
Committed By: nia
Date: Fri Oct 29 10:11:57 UTC 2021
Modified Files:
src/lib/libc/string: wcsdup.c
Log Message:
wcsdup(3): use reallocarr to catch integer overflow
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/lib/libc/string/wcsdup.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/wcsdup.c
diff -u src/lib/libc/string/wcsdup.c:1.3 src/lib/libc/string/wcsdup.c:1.4
--- src/lib/libc/string/wcsdup.c:1.3 Mon May 26 13:17:48 2008
+++ src/lib/libc/string/wcsdup.c Fri Oct 29 10:11:57 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: wcsdup.c,v 1.3 2008/05/26 13:17:48 haad Exp $ */
+/* $NetBSD: wcsdup.c,v 1.4 2021/10/29 10:11:57 nia Exp $ */
/*
* Copyright (C) 2006 Aleksey Cheusov
@@ -14,7 +14,7 @@
#include
#if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: wcsdup.c,v 1.3 2008/05/26 13:17:48 haad Exp $");
+__RCSID("$NetBSD: wcsdup.c,v 1.4 2021/10/29 10:11:57 nia Exp $");
#endif /* LIBC_SCCS and not lint */
#include "namespace.h"
@@ -33,9 +33,9 @@ wcsdup(const wchar_t *str)
_DIAGASSERT(str != NULL);
len = wcslen(str) + 1;
- copy = malloc(len * sizeof (wchar_t));
- if (!copy)
+ copy = NULL;
+ if (reallocarr(©, len, sizeof(wchar_t)) != 0)
return NULL;
return wmemcpy(copy, str, len);
Re: CVS commit: src/lib/libc/string
Date:Sat, 4 Apr 2020 21:16:45 +
From:David Holland
Message-ID: <20200404211645.ga19...@netbsd.org>
| I fail to see any scenario in which it's legitimate for an application
| to scribble in internal data belonging to libc. Why should this be
| permitted?
You've never done something like
p = getenv("PATH"); /* NULL check omitted here */
while (q = strchr(p, ':')) {
*q = '\0';
/* use p to do a lookup, printf, or whatever */
*q = ':';
p = q + 1;
}
/* use p here too */
??
If you have, what's the difference, genenv() is also returning data
from libc, it could also be const char *, but isn't.
In neither case is this what would normally be called "internal data"
though, it isn't as if we're directly modifying the data structs malloc()
uses (that would be internal data) - these are the results returned from
libc to the application.
| I don't understand. It is a bug that the library returns a writeable
| pointer to data that should not be modified.
But we aren't returning a pointer to data that can't be modified,
libc doesn't care, one way or the other. Apps shouldn't modify it
(shouldn't attempt to) because of portability concerns with other
implementations.If we did as Joerg suggested and mmapped
the message catalog pages for the relevant locale, and simply returned
a pointer to the relevant entry, one of those could be us.But isn't.
| Anyway, this is moot because strerror is defined by C;
That was my point. The entry in the BUGS section of the man page was
merely a rant, as this isn't (wasn't ever) something that can be fixed.
| but because it *should* be const,
| it should be (and is) declared with __aconst in string.h.
|
| Please don't change that.
Not planning anything like that - this was all about the man page.
| Also, perhaps we should swipe the text about not modifyingthe string
| buffer from strsignal.3.
I believe that what is in strerror(3) now is more or less aligned
with the intent (if not the actual language) of that.
Note that strsignal(3) doesn't contain a BUGS section ranting about
how it should really be const char *strsignal().
kre
Re: CVS commit: src/lib/libc/string
On Thu, Mar 26, 2020 at 10:54:21AM +0700, Robert Elz wrote: > | I don't agree -- because applications shouldn't attempt to modify the > | result, it should be const. > > The only reason apps shouldn't modify the string is in case of > porting the app to an (well, some) ancient implementation. Because > of the NLS requirements, the message these days (any modern > implementation) must be read from some external file - which means > the storage for it must be writable. Nothing else (except the > calling thread) cares about the content of the returned message, so > there's no actual reason for the app to not modify it now if for > some wacky reason it wants to. I fail to see any scenario in which it's legitimate for an application to scribble in internal data belonging to libc. Why should this be permitted? > The entry that was in BUGS wasn't a bug - what would be a bug would > be if we actually made strerror() return const char * - it wasn't > even a limitation (which we traditionally include in BUGS, even > though they're generally by design, and not accident, and not > really intended to be "fixed") - what it was was a rant about the > original design spec, and what's more, one which is no longer > warranted. I don't understand. It is a bug that the library returns a writeable pointer to data that should not be modified. Anyway, this is moot because strerror is defined by C; but because it *should* be const, it should be (and is) declared with __aconst in string.h. Please don't change that. Also, perhaps we should swipe the text about not modifyingthe string buffer from strsignal.3. -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Thu, Mar 26, 2020 at 10:54:21AM +0700, Robert Elz wrote: > Date:Wed, 25 Mar 2020 20:51:25 + > From:David Holland > Message-ID: <20200325205125.ga11...@netbsd.org> > > | I don't agree -- because applications shouldn't attempt to modify the > | result, it should be const. > > The only reason apps shouldn't modify the string is in case of porting > the app to an (well, some) ancient implementation. Because of the NLS > requirements, the message these days (any modern implementation) must be > read from some external file - which means the storage for it must be > writable. Actually, the only reason why we really need writable space is the unknown error case. NLS could in principle be using mmaped data as well, modulo not being able to unmap it again. Joerg
Re: CVS commit: src/lib/libc/string
Date:Wed, 25 Mar 2020 20:51:25 + From:David Holland Message-ID: <20200325205125.ga11...@netbsd.org> | I don't agree -- because applications shouldn't attempt to modify the | result, it should be const. The only reason apps shouldn't modify the string is in case of porting the app to an (well, some) ancient implementation. Because of the NLS requirements, the message these days (any modern implementation) must be read from some external file - which means the storage for it must be writable. Nothing else (except the calling thread) cares about the content of the returned message, so there's no actual reason for the app to not modify it now if for some wacky reason it wants to. Note that when strerror_l() was created, the opportunity to make that return const char * existed - const existed in C by then, which it didn't when strerror() was invented - but wasn't taken, as it was clear by its very design that strerror_l had to return a pointer to writable memory, so it was made char * and not const char *. | What it points to internally doesn't matter... True, if the interface had been to return const char *. The entry that was in BUGS wasn't a bug - what would be a bug would be if we actually made strerror() return const char * - it wasn't even a limitation (which we traditionally include in BUGS, even though they're generally by design, and not accident, and not really intended to be "fixed") - what it was was a rant about the original design spec, and what's more, one which is no longer warranted. kre ps: I've never seen, and cannot really imagine, an app that would ever want to modify the result from strerror(), so none of this really matters anyway.
Re: CVS commit: src/lib/libc/string
On Wed, Mar 25, 2020 at 06:50:47PM +, Robert Elz wrote: > Modified Files: > src/lib/libc/string: strerror.3 > > Log Message: > Delete the BUGS paragraph about the "missing" const qualifier for the > result type of strerror() (and strerror_l()). While that once should > really have been present, when strerror() was invented, there was no > "const" qualifier in C to apply, and now the way the code is writtem > (really needs to be because of NLS support) the const is no longer > really appropriate. > > Applications still shouldn't attempt to modify the result however. I don't agree -- because applications shouldn't attempt to modify the result, it should be const. What it points to internally doesn't matter... -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Jun 24, 4:35am, riastr...@netbsd.org (Taylor R Campbell) wrote: -- Subject: Re: CVS commit: src/lib/libc/string | Oops, that was silly of me -- the libc symbols actually have a double- | underscore prefix, presumably meaning `these are internal; do not | use'. Should I move the man pages to section 9, or do we want these | exposed in libc, presumably requiring some weak aliasing cruft? | Discuss on tech-userlevel? This is one of the problems -- the double underscore... I suppose that the solution to that is to get rid of the double __ and expose them only if _NETBSD_SOURCE. | (Now it seems I am railroading ahead with these changes, sorry...) No that is not a problem. You are discussing what's to be done and that's correct. Perhaps moving the discussion to tech-userlevel where it was in the first place. christos
Re: CVS commit: src/lib/libc/string
On Jun 24, 3:54am, riastr...@netbsd.org (Taylor R Campbell) wrote: -- Subject: Re: CVS commit: src/lib/libc/string |Date: Mon, 24 Jun 2013 01:36:29 + (UTC) |From: chris...@astron.com (Christos Zoulas) | |I've objected many times railroading those in and casting the into stone |by adding man pages and making them part of a formal release. I give up = | :-( | | Sorry, I didn't mean to stonewall or railroad anything; I just didn't | want to volunteer to go through the whole tree and replace every | reference and break all the builds with my inevitable mistakes in the | process. But OK -- I'll see whether I can sed my way through this | tonight without breaking too much. There are very few uses of them. That's the point. Please try to fix them. christos
Re: CVS commit: src/lib/libc/string
On Mon, 24 Jun 2013, Taylor R Campbell wrote: Discuss on tech-userlevel? Yes please. --apb (Alan Barrett)
Re: CVS commit: src/lib/libc/string
Oops, that was silly of me -- the libc symbols actually have a double- underscore prefix, presumably meaning `these are internal; do not use'. Should I move the man pages to section 9, or do we want these exposed in libc, presumably requiring some weak aliasing cruft? Discuss on tech-userlevel? (Now it seems I am railroading ahead with these changes, sorry...)
Re: CVS commit: src/lib/libc/string
Date: Mon, 24 Jun 2013 01:36:29 + (UTC) From: chris...@astron.com (Christos Zoulas) I've objected many times railroading those in and casting the into stone by adding man pages and making them part of a formal release. I give up :-( Sorry, I didn't mean to stonewall or railroad anything; I just didn't want to volunteer to go through the whole tree and replace every reference and break all the builds with my inevitable mistakes in the process. But OK -- I'll see whether I can sed my way through this tonight without breaking too much.
Re: CVS commit: src/lib/libc/string
In article <20130623164406.d678...@cvs.netbsd.org>, Taylor R Campbell wrote: >-=-=-=-=-=- I've objected many times railroading those in and casting the into stone by adding man pages and making them part of a formal release. I give up :-( christos
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 05:40:51PM +0100, Joerg Sonnenberger wrote:
> > And why should the/any static analyzer have to figure that out when
> > coding it right makes it a nonissue?
>
> Because that's what is making warnings useful. To not complain about
> non-issues.
Like this?
const char *
foo(const char *s)
{
size_t len;
char *t;
len = strlen(s);
if (len >= 2 && s[0] == s[len-1]) {
t = s+1;
} else {
t = s;
}
return strchr(t, '"');
}
We require that this be written with a "const" on t, even though it's
a "non-issue". Part of the price of checking is the obligation to
provide code that has the details right.
--
David A. Holland
dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 04:23:46PM +, David Holland wrote: > On Fri, Nov 25, 2011 at 02:48:30PM +0100, Joerg Sonnenberger wrote: > > > > > > > Sure it does. You should just have written the code using > (size_t)1, > > > > > > > or even just 1UL, instead of 1ULL. There is no port where size_t > is > > > > > > > unsigned long long. > > > > > > > > > > > > > > ... Unless what you meant was "get rid of all 32-bit ports" :-) > > > > > > > > > > > > Well, there is Win64 and this is essentially portable code... > > > > > > > > > > so use (size_t)1 then. > > > > > > > > Point remains that the original code is correct and no overflow can > > > > happen. As such lint's behavior is just bogus. > > > > > > Warning about 64->32 truncation is useful. Coding to avoid unnecessary > > > ones is straightforward. I think you're complaining only because you > > > got caught out by it :-) > > > > Which part of "it can't truncate" is hard to understand? I am > > complaining because it is no reason to error out. > > And why should the/any static analyzer have to figure that out when > coding it right makes it a nonissue? Because that's what is making warnings useful. To not complain about non-issues. Joerg
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 02:48:30PM +0100, Joerg Sonnenberger wrote: > > > > > > Sure it does. You should just have written the code using > > > > > > (size_t)1, > > > > > > or even just 1UL, instead of 1ULL. There is no port where size_t is > > > > > > unsigned long long. > > > > > > > > > > > > ... Unless what you meant was "get rid of all 32-bit ports" :-) > > > > > > > > > > Well, there is Win64 and this is essentially portable code... > > > > > > > > so use (size_t)1 then. > > > > > > Point remains that the original code is correct and no overflow can > > > happen. As such lint's behavior is just bogus. > > > > Warning about 64->32 truncation is useful. Coding to avoid unnecessary > > ones is straightforward. I think you're complaining only because you > > got caught out by it :-) > > Which part of "it can't truncate" is hard to understand? I am > complaining because it is no reason to error out. And why should the/any static analyzer have to figure that out when coding it right makes it a nonissue? -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 01:44:24PM +, David Holland wrote: > On Fri, Nov 25, 2011 at 02:29:12PM +0100, Joerg Sonnenberger wrote: > > > > > Sure it does. You should just have written the code using (size_t)1, > > > > > or even just 1UL, instead of 1ULL. There is no port where size_t is > > > > > unsigned long long. > > > > > > > > > > ... Unless what you meant was "get rid of all 32-bit ports" :-) > > > > > > > > Well, there is Win64 and this is essentially portable code... > > > > > > so use (size_t)1 then. > > > > Point remains that the original code is correct and no overflow can > > happen. As such lint's behavior is just bogus. > > Warning about 64->32 truncation is useful. Coding to avoid unnecessary > ones is straightforward. I think you're complaining only because you > got caught out by it :-) Which part of "it can't truncate" is hard to understand? I am complaining because it is no reason to error out. Joerg
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 02:29:12PM +0100, Joerg Sonnenberger wrote: > > > > Sure it does. You should just have written the code using (size_t)1, > > > > or even just 1UL, instead of 1ULL. There is no port where size_t is > > > > unsigned long long. > > > > > > > > ... Unless what you meant was "get rid of all 32-bit ports" :-) > > > > > > Well, there is Win64 and this is essentially portable code... > > > > so use (size_t)1 then. > > Point remains that the original code is correct and no overflow can > happen. As such lint's behavior is just bogus. Warning about 64->32 truncation is useful. Coding to avoid unnecessary ones is straightforward. I think you're complaining only because you got caught out by it :-) Ideally lint on amd64 would have warned also; that would have avoided the broken build... -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 01:18:19PM +, David Holland wrote: > On Fri, Nov 25, 2011 at 02:15:12PM +0100, Joerg Sonnenberger wrote: > > > Sure it does. You should just have written the code using (size_t)1, > > > or even just 1UL, instead of 1ULL. There is no port where size_t is > > > unsigned long long. > > > > > > ... Unless what you meant was "get rid of all 32-bit ports" :-) > > > > Well, there is Win64 and this is essentially portable code... > > so use (size_t)1 then. Point remains that the original code is correct and no overflow can happen. As such lint's behavior is just bogus. Joerg
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 02:15:12PM +0100, Joerg Sonnenberger wrote: > > Sure it does. You should just have written the code using (size_t)1, > > or even just 1UL, instead of 1ULL. There is no port where size_t is > > unsigned long long. > > > > ... Unless what you meant was "get rid of all 32-bit ports" :-) > > Well, there is Win64 and this is essentially portable code... so use (size_t)1 then. -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 12:57:29PM +, David Holland wrote: > On Fri, Nov 25, 2011 at 01:01:34PM +0100, Joerg Sonnenberger wrote: > > > Log Message: > > > Add explicit casts to make lint happy and fix the NetBSD/i386 build. > > > > Can we please just get rid of this PoS? This doesn't even qualify as bad > > signal to noise ratio. > > Sure it does. You should just have written the code using (size_t)1, > or even just 1UL, instead of 1ULL. There is no port where size_t is > unsigned long long. > > ... Unless what you meant was "get rid of all 32-bit ports" :-) Well, there is Win64 and this is essentially portable code... Joerg
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 01:01:34PM +0100, Joerg Sonnenberger wrote: > > Log Message: > > Add explicit casts to make lint happy and fix the NetBSD/i386 build. > > Can we please just get rid of this PoS? This doesn't even qualify as bad > signal to noise ratio. Sure it does. You should just have written the code using (size_t)1, or even just 1UL, instead of 1ULL. There is no port where size_t is unsigned long long. ... Unless what you meant was "get rid of all 32-bit ports" :-) -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
On Fri, Nov 25, 2011 at 09:00:51AM +, Matthias Scheler wrote: > Module Name: src > Committed By: tron > Date: Fri Nov 25 09:00:51 UTC 2011 > > Modified Files: > src/lib/libc/string: wcscspn_bloom.h > > Log Message: > Add explicit casts to make lint happy and fix the NetBSD/i386 build. Can we please just get rid of this PoS? This doesn't even qualify as bad signal to noise ratio. Joerg
Re: CVS commit: src/lib/libc/string
Am 24.11.11 19:44, schrieb Joerg Sonnenberger:
> Module Name: src
> Committed By: joerg
> Date: Thu Nov 24 18:44:25 UTC 2011
>
> Modified Files:
> src/lib/libc/string: wcscspn.c wcspbrk.c
> Added Files:
> src/lib/libc/string: wcscspn_bloom.h
This breaks the build on i386, at least.
>
> Log Message:
> In wcscspn and wcspbrk, handle set size of 0 and 1 explicitly.
> For larger sets, use a bloom filter to avoid the inner loop for most of
> the input. The current implementation uses a simple modular hash as
> first function (well suited for input e.g. in ISO Latin character sets)
> and a more complex multiplicative hash as second function with a filter
> size of 512 Bit. This reduces the typical run time to O(n+m).
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.3 -r1.4 src/lib/libc/string/wcscspn.c
> cvs rdiff -u -r0 -r1.1 src/lib/libc/string/wcscspn_bloom.h
> cvs rdiff -u -r1.4 -r1.5 src/lib/libc/string/wcspbrk.c
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
>
>
>
> Modified files:
>
> Index: src/lib/libc/string/wcscspn.c
> diff -u src/lib/libc/string/wcscspn.c:1.3 src/lib/libc/string/wcscspn.c:1.4
> --- src/lib/libc/string/wcscspn.c:1.3 Mon Nov 21 15:02:48 2011
> +++ src/lib/libc/string/wcscspn.c Thu Nov 24 18:44:25 2011
> @@ -1,7 +1,8 @@
> -/* $NetBSD: wcscspn.c,v 1.3 2011/11/21 15:02:48 joerg Exp $*/
> +/* $NetBSD: wcscspn.c,v 1.4 2011/11/24 18:44:25 joerg Exp $*/
>
> /*-
> - * Copyright (c)1999 Citrus Project,
> + * Copyright (c) 1999 Citrus Project,
> + * Copyright (c) 2011 Joerg Sonnenberger,
> * All rights reserved.
> *
> * Redistribution and use in source and binary forms, with or without
> @@ -29,25 +30,45 @@
> */
>
> #include
> -__RCSID("$NetBSD: wcscspn.c,v 1.3 2011/11/21 15:02:48 joerg Exp $");
> +__RCSID("$NetBSD: wcscspn.c,v 1.4 2011/11/24 18:44:25 joerg Exp $");
>
> #include
> +#include
> +#include
> #include
>
> +#include "wcscspn_bloom.h"
> +
> size_t
> wcscspn(const wchar_t *s, const wchar_t *set)
> {
> + size_t bloom[BLOOM_ARRAY_SIZE];
> const wchar_t *p;
> const wchar_t *q;
>
> _DIAGASSERT(s != NULL);
> _DIAGASSERT(set != NULL);
>
> + if (set[0] == '\0')
> + return wcslen(s);
> + if (set[1] == '\0') {
> + for (p = s; *p; ++p)
> + if (*p == set[0])
> + break;
> + return p - s;
> + }
> +
> + wcsspn_bloom_init(bloom, set);
> +
> for (p = s; *p; ++p) {
> - for (q = set; *q; ++q) {
> + if (!wcsspn_in_bloom(bloom, *p))
> + continue;
> +
> + q = set;
> + do {
> if (*p == *q)
> goto done;
> - }
> + } while (*++q);
> }
>
> done:
>
> Index: src/lib/libc/string/wcspbrk.c
> diff -u src/lib/libc/string/wcspbrk.c:1.4 src/lib/libc/string/wcspbrk.c:1.5
> --- src/lib/libc/string/wcspbrk.c:1.4 Mon Nov 21 15:02:48 2011
> +++ src/lib/libc/string/wcspbrk.c Thu Nov 24 18:44:25 2011
> @@ -1,7 +1,8 @@
> -/* $NetBSD: wcspbrk.c,v 1.4 2011/11/21 15:02:48 joerg Exp $*/
> +/* $NetBSD: wcspbrk.c,v 1.5 2011/11/24 18:44:25 joerg Exp $*/
>
> /*-
> - * Copyright (c)1999 Citrus Project,
> + * Copyright (c) 1999 Citrus Project,
> + * Copyright (c) 2011 Joerg Sonnenberger,
> * All rights reserved.
> *
> * Redistribution and use in source and binary forms, with or without
> @@ -29,25 +30,41 @@
> */
>
> #include
> -__RCSID("$NetBSD: wcspbrk.c,v 1.4 2011/11/21 15:02:48 joerg Exp $");
> +__RCSID("$NetBSD: wcspbrk.c,v 1.5 2011/11/24 18:44:25 joerg Exp $");
>
> #include
> +#include
> +#include
> #include
>
> +#include "wcscspn_bloom.h"
> +
> wchar_t *
> wcspbrk(const wchar_t *s, const wchar_t *set)
> {
> + size_t bloom[BLOOM_ARRAY_SIZE];
> const wchar_t *p;
> const wchar_t *q;
>
> _DIAGASSERT(s != NULL);
> _DIAGASSERT(set != NULL);
>
> + if (set[0] == '\0')
> + return NULL;
> + if (set[1] == '\0')
> + return wcschr(s, set[0]);
> +
> + wcsspn_bloom_init(bloom, set);
> +
> for (p = s; *p; ++p) {
> - for (q = set; *q; ++q) {
> + if (!wcsspn_in_bloom(bloom, *p))
> + continue;
> +
> + q = set;
> + do {
> if (*p == *q)
> return __UNCONST(p);
> - }
> + } while (*++q);
> }
> return NULL;
> }
>
> Added files:
>
> Index: src/lib/libc/string/wcscspn_bloom.h
> diff -u /dev/null src/lib/libc/string/wcscspn_bloom.h:1.1
> --- /dev/null Thu Nov 24 18:44:25 2011
> +++ src/lib/libc/string/wcscspn_bloom.h Thu Nov 24 18:44:25 2011
> @@ -0,0 +1,84 @@
> +/* $NetBSD: wcscspn_bloom.h,v 1.1 2011/11/24 18:44:25 joer
Re: CVS commit: src/lib/libc/string
On Mon, Apr 19, 2010 at 03:02:05AM +, Christos Zoulas wrote: > In article <20100419021334.ga8...@britannica.bec.de>, > Joerg Sonnenberger wrote: > >On Sun, Apr 18, 2010 at 10:51:35AM +, Alan Barrett wrote: > >> Log Message: > >> Bitwise operations on signed types are well-defined if the values > >> happen to be positive, and indeed the values here were guaranteed > >> to be positive, but some compilers complained anyway, so convert > >> the bitwise operations to arithmetic operations. > > > >In that case use an explicit cast to the unsigned type. What you did is > >penalize the code for no good reason. > > Any compiler these days knows how to do these micro-optimizations. For *unsigned* that is easy. For *signed* it is a lot harder. Joerg
Re: CVS commit: src/lib/libc/string
On Mon, 19 Apr 2010, Joerg Sonnenberger wrote:
> On Sun, Apr 18, 2010 at 10:51:35AM +, Alan Barrett wrote:
> > Log Message:
> > Bitwise operations on signed types are well-defined if the values
> > happen to be positive, and indeed the values here were guaranteed
> > to be positive, but some compilers complained anyway, so convert
> > the bitwise operations to arithmetic operations.
>
> In that case use an explicit cast to the unsigned type. What you did is
> penalize the code for no good reason.
I expect the compiler to be able to figure out that some arithmetic
operations involving powers of 2 are equivalent to bitwise operations,
and to choose the most appropriate instructions. This expectation
is not entirely unjustified; for example, I just verified that
"gcc -O2" emits identical code for the following two functions:
int f(int i)
{
if (i < 0) return 0;
return i >> 3;
}
int g(int i)
{
if (i < 0) return 0;
return i / 8;
}
--apb (Alan Barrett)
Re: CVS commit: src/lib/libc/string
On Mon, Apr 19, 2010 at 03:02:05AM +, Christos Zoulas wrote: >> In that case use an explicit cast to the unsigned type. What you did is >> penalize the code for no good reason. > > Any compiler these days knows how to do these micro-optimizations. Furthermore, as swab() is fairly useless, its performance isn't especially important anyway. -- David A. Holland dholl...@netbsd.org
Re: CVS commit: src/lib/libc/string
In article <20100419021334.ga8...@britannica.bec.de>, Joerg Sonnenberger wrote: >On Sun, Apr 18, 2010 at 10:51:35AM +, Alan Barrett wrote: >> Log Message: >> Bitwise operations on signed types are well-defined if the values >> happen to be positive, and indeed the values here were guaranteed >> to be positive, but some compilers complained anyway, so convert >> the bitwise operations to arithmetic operations. > >In that case use an explicit cast to the unsigned type. What you did is >penalize the code for no good reason. Any compiler these days knows how to do these micro-optimizations. christos
Re: CVS commit: src/lib/libc/string
On Sun, Apr 18, 2010 at 10:51:35AM +, Alan Barrett wrote: > Log Message: > Bitwise operations on signed types are well-defined if the values > happen to be positive, and indeed the values here were guaranteed > to be positive, but some compilers complained anyway, so convert > the bitwise operations to arithmetic operations. In that case use an explicit cast to the unsigned type. What you did is penalize the code for no good reason. Joerg
Re: CVS commit: src/lib/libc/string
On Apr 18, 11:01am, mar...@duskware.de (Martin Husemann) wrote: -- Subject: Re: CVS commit: src/lib/libc/string | On Sat, Apr 17, 2010 at 09:14:21PM -0400, Christos Zoulas wrote: | > Yes, it does not make sense, but that is what POSIX specifies. | | Yeah, but wouldn't ignoring this part (keeping it size_t) still work | for all valid calls, i.e. differing from the obviously stupid standard | be a harmless thing? Does not work for the function pointer assignment case. christos
Re: CVS commit: src/lib/libc/string
On Sat, Apr 17, 2010 at 09:14:21PM -0400, Christos Zoulas wrote: > Yes, it does not make sense, but that is what POSIX specifies. Yeah, but wouldn't ignoring this part (keeping it size_t) still work for all valid calls, i.e. differing from the obviously stupid standard be a harmless thing? Martin
Re: CVS commit: src/lib/libc/string
On Apr 17, 11:25pm, mar...@netbsd.org (Martin Husemann) wrote: -- Subject: Re: CVS commit: src/lib/libc/string | On Sat, Apr 17, 2010 at 01:57:39PM -0400, Christos Zoulas wrote: | > Module Name:src | > Committed By: christos | > Date: Sat Apr 17 17:57:39 UTC 2010 | > | > Modified Files: | > src/lib/libc/string: swab.3 swab.c | > | > Log Message: | > Change and document for POSIX compliance. | | The restrict part was fine, but why ssize_t? I t just does not make | any sense at all, especially with the "ignore negative values" part. Yes, it does not make sense, but that is what POSIX specifies. christos
Re: CVS commit: src/lib/libc/string
On Sat, Apr 17, 2010 at 01:57:39PM -0400, Christos Zoulas wrote: > Module Name: src > Committed By: christos > Date: Sat Apr 17 17:57:39 UTC 2010 > > Modified Files: > src/lib/libc/string: swab.3 swab.c > > Log Message: > Change and document for POSIX compliance. The restrict part was fine, but why ssize_t? I t just does not make any sense at all, especially with the "ignore negative values" part. Martin
Re: CVS commit: src/lib/libc/string
On Wed, Aug 05, 2009 at 04:08:00PM +, Joerg Sonnenberger wrote: > Module Name: src > Committed By: joerg > Date: Wed Aug 5 16:08:00 UTC 2009 > > Modified Files: > src/lib/libc/string: Lint_ffs.c I'm not sure why we have these Lint_xxx.c stubs for functions where we have a real C source file. I see no reason not to just pass lint the standard implementation. About all you lose is the .d file, and I'm not sure the .ln target is generated in the depend files - in any case it doesn't really matter that much if lint loses the dependencies against header files for these functions. The recent changes I made to the libc makefile don't use the Lint_xxx.c stubs for files where the presence of a .S file in SRCS auto-removes the corresponding .c file. David -- David Laight: da...@l8s.co.uk
Re: CVS commit: src/lib/libc/string
On Thu, Jul 30, 2009 at 09:46:44PM -0400, Perry E. Metzger wrote: > > David Laight writes: > > Module Name:src > > Committed By: dsl > > Date: Thu Jul 30 21:42:06 UTC 2009 > > > > Modified Files: > > src/lib/libc/string: strcspn.c strspn.c > > > > Log Message: > > Use a 'register only' str[c]spn() on 64 bit systems. > > How much of a speedup is this? It probably takes about 2/3 the time on my athlon. I got similar times with some tests on f.n.o (some intel cpu). The gain is missing out the 3 clock delay on every memory read. David -- David Laight: da...@l8s.co.uk
Re: CVS commit: src/lib/libc/string
David Laight writes: > Module Name: src > Committed By: dsl > Date: Thu Jul 30 21:42:06 UTC 2009 > > Modified Files: > src/lib/libc/string: strcspn.c strspn.c > > Log Message: > Use a 'register only' str[c]spn() on 64 bit systems. How much of a speedup is this? Also, you have a spelling error in a comment. Perry
Re: CVS commit: src/lib/libc/string
In article <20090410232748.gs25357__19460.5905832306$1239406176$gmane$...@danbala.tuwien.ac.at>, Thomas Klausner wrote: >On Fri, Apr 10, 2009 at 07:13:38PM -0400, Christos Zoulas wrote: >> Module Name: src >> Committed By:christos >> Date:Fri Apr 10 23:13:38 UTC 2009 >> >> Modified Files: >> src/lib/libc/string: Makefile.inc memchr.3 >> Added Files: >> src/lib/libc/string: memrchr.c >> >> Log Message: >> add memrchr > >const unsigned char *p = s; > >Shouldn't this be >const unsigned char *p = s+n; >? > >But perhaps I misunderstand what it should do. I thought it would look >in the area [s, s+n-1] for c from the right. It seems to me that it >currently looks in [s-n+1, s] for c from the right. The implementation that I saw did exactly that, but I looked more and it appears to be wrong. I will fix it. christos
Re: CVS commit: src/lib/libc/string
Christos Zoulas wrote: > Module Name: src > Committed By: christos > Date: Fri Apr 10 23:13:38 UTC 2009 > > Modified Files: > src/lib/libc/string: Makefile.inc memchr.3 > Added Files: > src/lib/libc/string: memrchr.c > > Log Message: > add memrchr why not the 2-clause license ? Christoph
Re: CVS commit: src/lib/libc/string
On Fri, Apr 10, 2009 at 07:13:38PM -0400, Christos Zoulas wrote: > Module Name: src > Committed By: christos > Date: Fri Apr 10 23:13:38 UTC 2009 > > Modified Files: > src/lib/libc/string: Makefile.inc memchr.3 > Added Files: > src/lib/libc/string: memrchr.c > > Log Message: > add memrchr const unsigned char *p = s; Shouldn't this be const unsigned char *p = s+n; ? But perhaps I misunderstand what it should do. I thought it would look in the area [s, s+n-1] for c from the right. It seems to me that it currently looks in [s-n+1, s] for c from the right. Thomas
