Module Name: src Committed By: riastradh Date: Fri Aug 11 09:39:39 UTC 2023
Modified Files: src/lib/libc/string: Makefile.inc strcpy.3 Added Files: src/lib/libc/string: strncpy.3 Log Message: strncpy(3), stpncpy(3): Split man page out of strcpy(3), stpcpy(3). These are for substantively different purposes (fixed-width fields with optional NUL padding vs NUL-terminated strings), so they don't belong together. Be more specific about the security issues. To generate a diff of this commit: cvs rdiff -u -r1.87 -r1.88 src/lib/libc/string/Makefile.inc cvs rdiff -u -r1.23 -r1.24 src/lib/libc/string/strcpy.3 cvs rdiff -u -r0 -r1.1 src/lib/libc/string/strncpy.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libc/string/Makefile.inc diff -u src/lib/libc/string/Makefile.inc:1.87 src/lib/libc/string/Makefile.inc:1.88 --- src/lib/libc/string/Makefile.inc:1.87 Tue Aug 1 17:51:25 2023 +++ src/lib/libc/string/Makefile.inc Fri Aug 11 09:39:39 2023 @@ -1,5 +1,5 @@ # from: @(#)Makefile.inc 8.1 (Berkeley) 6/4/93 -# $NetBSD: Makefile.inc,v 1.87 2023/08/01 17:51:25 christos Exp $ +# $NetBSD: Makefile.inc,v 1.88 2023/08/11 09:39:39 riastradh Exp $ # string sources .PATH: ${ARCHDIR}/string ${.CURDIR}/string @@ -60,9 +60,10 @@ MLINKS+=popcount.3 popcount64.3 MLINKS+=strcasecmp.3 strncasecmp.3 MLINKS+=strcat.3 strncat.3 MLINKS+=strcmp.3 strncmp.3 -MLINKS+=strcpy.3 strncpy.3 strcpy.3 stpcpy.3 strcpy.3 stpncpy.3 +MLINKS+=strcpy.3 stpcpy.3 MLINKS+=strlcpy.3 strlcat.3 MLINKS+=strlen.3 strnlen.3 +MLINKS+=strncpy.3 stpncpy.3 MLINKS+=strstr.3 strcasestr.3 MLINKS+=strstr.3 strnstr.3 MLINKS+=strchr.3 strchrnul.3 Index: src/lib/libc/string/strcpy.3 diff -u src/lib/libc/string/strcpy.3:1.23 src/lib/libc/string/strcpy.3:1.24 --- src/lib/libc/string/strcpy.3:1.23 Wed Apr 1 20:18:17 2015 +++ src/lib/libc/string/strcpy.3 Fri Aug 11 09:39:39 2023 @@ -30,16 +30,14 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 -.\" $NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp $ +.\" $NetBSD: strcpy.3,v 1.24 2023/08/11 09:39:39 riastradh Exp $ .\" -.Dd April 1, 2015 +.Dd August 11, 2023 .Dt STRCPY 3 .Os .Sh NAME .Nm stpcpy , -.Nm stpncpy , -.Nm strcpy , -.Nm strncpy +.Nm strcpy .Nd copy strings .Sh LIBRARY .Lb libc @@ -48,11 +46,7 @@ .Ft char * .Fn stpcpy "char * restrict dst" "const char * restrict src" .Ft char * -.Fn stpncpy "char * restrict dst" "const char * restrict src" "size_t len" -.Ft char * .Fn strcpy "char * restrict dst" "const char * restrict src" -.Ft char * -.Fn strncpy "char * restrict dst" "const char * restrict src" "size_t len" .Sh DESCRIPTION The .Fn stpcpy @@ -62,165 +56,73 @@ functions copy the string .Fa src to -.Fa dst -(including the terminating -.Ql \e0 -character). -.Pp -The -.Fn stpncpy -and -.Fn strncpy -functions copy at most -.Fa len -characters from -.Fa src -into -.Fa dst . -If -.Fa src -is less than -.Fa len -characters long, -the remainder of -.Fa dst -is filled with +.Fa dst , +including the terminating .Ql \e0 -characters. -Otherwise, -.Fa dst -is -.Em not -terminated. +character. .Pp The strings .Fa src and .Fa dst may not overlap. +The string +.Fa src +must be terminated by a +.Ql \e0 +character. +The memory for +.Fa dst +must have space for +.Fn strlen src Li "+ 1" +bytes. .Sh RETURN VALUES The .Fn strcpy -and -.Fn strncpy -functions -return +function returns .Fa dst . +.Pp The .Fn stpcpy -and -.Fn stpncpy -functions return a pointer to the terminating +function returns a pointer to the terminating .Ql \e0 character of .Fa dst . -If -.Fn stpncpy -does not terminate -.Fa dst -with a -.Dv NUL -character, it instead returns a pointer to -.Li dst[len] -(which does not necessarily refer to a valid memory location.) -.Sh EXAMPLES -The following sets -.Va chararray -to -.Dq Li abc\e0\e0\e0 : -.Bd -literal -offset indent -char chararray[6]; - -(void)strncpy(chararray, "abc", sizeof(chararray)); -.Ed -.Pp -The following sets -.Va chararray -to -.Dq Li abcdef : -.Bd -literal -offset indent -char chararray[6]; - -(void)strncpy(chararray, "abcdefgh", sizeof(chararray)); -.Ed -.Pp -Note that it does -.Em not -.Dv NUL Ns No -terminate -.Va chararray -because the length of the source string is greater than or equal -to the length parameter. -.Fn strncpy -.Em only -.Dv NUL Ns No -terminates -the destination string when the length of the source -string is less than the length parameter. -.Pp -The following copies as many characters from -.Va input -to -.Va buf -as will fit and -.Dv NUL Ns No -terminates -the result. -Because -.Fn strncpy -does -.Em not -guarantee to -.Dv NUL Ns No -terminate -the string itself, this must be done explicitly. -.Bd -literal -offset indent -char buf[1024]; - -(void)strncpy(buf, input, sizeof(buf) - 1); -buf[sizeof(buf) - 1] = '\e0'; -.Ed -.Pp -This could be better and more simply achieved using -.Xr strlcpy 3 , -as shown in the following example: -.Bd -literal -offset indent -(void)strlcpy(buf, input, sizeof(buf)); -.Ed -.Pp -Note that because -.Xr strlcpy 3 -is not defined in any standards, it should -only be used when portability is not a concern. .Sh SEE ALSO .Xr bcopy 3 , .Xr memccpy 3 , .Xr memcpy 3 , .Xr memmove 3 , .Xr strlcpy 3 , +.Xr strncpy 3 , .Xr wcscpy 3 .Sh STANDARDS The .Fn strcpy -and -.Fn strncpy -functions -conform to +function conforms to .St -isoC-99 . +.Pp The .Fn stpcpy -and -.Fn stpncpy -functions conform to +function conforms to .St -p1003.1-2008 . .Sh HISTORY The .Fn stpcpy -and -.Fn stpncpy -functions first appeared in +function first appeared in .Nx 6.0 . .Sh SECURITY CONSIDERATIONS The .Fn strcpy and .Fn stpcpy -functions are easily misused in a manner which enables malicious users -to arbitrarily change a running program's functionality through a -buffer overflow attack. +functions copy until a +.Ql \e0 +terminator without any bounds checks on the size of the input or output +buffers. +If the input buffer is missing a +.Ql \e0 +terminator, or the input string is longer than the output buffer, this +can lead to crashes or security vulnerabilities from buffer overruns, +including disclosure of secrets in memory and arbitrary code +execution. Added files: Index: src/lib/libc/string/strncpy.3 diff -u /dev/null src/lib/libc/string/strncpy.3:1.1 --- /dev/null Fri Aug 11 09:39:39 2023 +++ src/lib/libc/string/strncpy.3 Fri Aug 11 09:39:39 2023 @@ -0,0 +1,200 @@ +.\" Copyright (c) 1990, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" This code is derived from software contributed to Berkeley by +.\" Chris Torek and the American National Standards Committee X3, +.\" on Information Processing Systems. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93 +.\" $NetBSD: strncpy.3,v 1.1 2023/08/11 09:39:39 riastradh Exp $ +.\" +.Dd August 11, 2023 +.Dt STRNCPY 3 +.Os +.Sh NAME +.Nm stpncpy , +.Nm strncpy +.Nd copy fixed-width string buffers +.Sh LIBRARY +.Lb libc +.Sh SYNOPSIS +.In string.h +.Ft char * +.Fn stpncpy "char * restrict dst" "const char * restrict src" "size_t len" +.Ft char * +.Fn strncpy "char * restrict dst" "const char * restrict src" "size_t len" +.Sh DESCRIPTION +The +.Fn stpncpy +and +.Fn strncpy +functions copy at most +.Fa len +.No non- Ns Ql \e0 +characters from +.Fa src +into +.Fa dst . +If +.Fa src +is less than +.Fa len +characters long before the first +.Ql \e0 +character, the remainder of +.Fa dst +is filled with +.Ql \e0 +characters. +Otherwise, +.Fa dst +is +.Em not +terminated with a +.Ql \e0 +character. +.Pp +The strings +.Fa src +and +.Fa dst +may not overlap. +.Sh RETURN VALUES +The +.Fn strncpy +function returns +.Fa dst . +.Pp +The +.Fn stpncpy +function returns a pointer to the terminating +.Ql \e0 +character of +.Fa dst . +If +.Fn stpncpy +does not terminate +.Fa dst +with a +.Dv NUL +character, it instead returns a pointer to +.Fa dst Ns Li "[" Fa len Ns Li "]" Ns , +which may be one past the last element of an array. +.Sh EXAMPLES +The following sets +.Va chararray +to +.Dq Li abc\e0\e0\e0 : +.Bd -literal -offset indent +char chararray[6]; + +(void)strncpy(chararray, "abc", sizeof(chararray)); +.Ed +.Pp +The following sets +.Va chararray +to +.Dq Li abcdef : +.Bd -literal -offset indent +char chararray[6]; + +(void)strncpy(chararray, "abcdefgh", sizeof(chararray)); +.Ed +.Pp +Note that it does +.Em not +.Dv NUL Ns No -terminate +.Va chararray +because the length of the source string is greater than or equal +to the length parameter. +.Fn strncpy +.Em only +.Dv NUL Ns No -terminates +the destination string when the length of the source +string is less than the length parameter. +.Pp +The following copies as many characters from +.Va input +to +.Va buf +as will fit and +.Dv NUL Ns No -terminates +the result. +Because +.Fn strncpy +does +.Em not +guarantee to +.Dv NUL Ns No -terminate +the string itself, this must be done explicitly. +.Bd -literal -offset indent +char buf[1024]; + +(void)strncpy(buf, input, sizeof(buf) - 1); +buf[sizeof(buf) - 1] = '\e0'; +.Ed +.Pp +This could be better and more simply achieved using +.Xr strlcpy 3 , +as shown in the following example: +.Bd -literal -offset indent +(void)strlcpy(buf, input, sizeof(buf)); +.Ed +.Pp +Note that because +.Xr strlcpy 3 +is not defined in any standards, it should +only be used when portability is not a concern. +.Sh SEE ALSO +.Xr bcopy 3 , +.Xr memccpy 3 , +.Xr memcpy 3 , +.Xr memmove 3 , +.Xr strcpy 3 , +.Xr strlcpy 3 , +.Xr wcscpy 3 +.Sh STANDARDS +The +.Fn strncpy +function conforms to +.St -isoC-99 . +.Pp +The +.Fn stpncpy +function conforms to +.St -p1003.1-2008 . +.Sh HISTORY +The +.Fn stpncpy +function first appeared in +.Nx 6.0 . +.Sh SECURITY CONSIDERATIONS +The +.Fn stpncpy +and +.Fn strncpy +functions are not guaranteed to NUL-terminate the result.