The information in the strncpy() / strncat() section is incorrect.
Firstly, strncpy() was not designed to be a "safer strcpy()" at all. It was designed for storing strings in the manner of original UNIX directory entries: in a fixed size buffer, null-padded only if the stored string is shorter than the buffer. This is why it fills the buffer with nulls, and why it doesn't necessarily null-terminate the destination.
Secondly, contrary to what the article implies, strncat() does not work this way: strncat() always null-terminates the destination, and it doesn't write any extra nulls.
Thanks, I will make the necessary corrections shortly.
The strncat() behavior is quite confusing. I can understand expecting the buffer to already be null-padded and skipping that step, but always null-terminating the result seems to go against strncpy()'s expected behavior. It also looks mildly dangerous, as the NUL-write can be one after the size given.
Having the size so fixed, storing the 15th character that would always be null on the disks (and also in memory) was a pure waste. Note that earliest versions of Unix run in less than 64 KB.
When copying the name to a fixed buffer of 14 characters which is to be stored on the disk, padding the buffer with nulls was also not a performance issue and had a benefit of not leaving "junk" in the buffer.
The problems only happen when people expect from such routines with very specific usage scenarios something for which they were not designed.
So the strncpy was never meant to be "a safer veriant for strcpy." Moreover, strcpy_s is also not a replacement for strncpy, but for a strcpy -- it was introduced to be replaced instead of strcpy in the old code bases as a part of reducing the number of security issues in the old code.
Of course there is (in Microsoft's CRT) strncpy_s, the rationale behind all _s functions is here:
"Sized Buffers. The secure functions require that the buffer size be passed to any function that writes to a buffer. The secure versions validate that the buffer is large enough before writing to it, helping to avoid dangerous buffer overrun errors that could allow malicious code to execute. These functions usually return an errno type of error code and invoke the invalid parameter handler if the size of the buffer is too small. Functions that read from input buffers, such as gets, have secure versions that require you to specify a maximum size.
(...)
Null termination. Some functions that left potentially non-terminated strings have secure versions which ensure that strings are properly null terminated."
The article is based on the wrong premises.
Advice: if you work low level with substrings and concatenations, where the performance matters, don't try to fix the str routines, use the pointers. Maintain the pointer to the last character of the area to which you concatenate. Traverse only the characters you need from the source. If you don't care about the performance or exact storage aspects, use much higher level approaches, some string libraries.
If len overflows and wraps (i.e. the sum of string lengths is > SIZE_MAX-1), you'll allocate less memory than is required and memcpy will write outside of buffer bounds.
Yeah, don't use cstrings. If you're using C, use bstrings. If you're using C++, use std::string. Ignore the extra three bytes of memory overhead and enjoy the extra safety.
Yeah, there might be a few cases were null terminated strings work okay but mostly they are just a recipe for buffer overflows. Seriously, how many years is this going to take to figure out?
'that is what the libc runtime, which is the foundation that every language ultimately reaches down to in the end, is built around.'
Except, interestingly enough, Go code compiled with the standard compilers (5g, 6g, 8g, see http://golang.org/doc/go_faq.html#How_is_the_run_time_suppor...). The Plan9 expats are hell-bent on doing things their own way, I am 70% in agreement with them :).
Well, Go code will eventually call into OS-level functions. And when your Linux kernel is built in C, the eventual calls to open(), etc will need null-terminated strings. So you will have to make a copy, eg std::string::c_str().
Deficiencies in strl aside, most C programmers do not realize the target-padding that is going on with the strn family. Discussion is always good, but it will be much more of an uphill battle to introduce new routines than it would be to get strn users to use strl. I've seen too many people bitten by declaring something like:
char buf[65536]; /* 64k is enough for everything! */
The best system involves keeping end pointers, not lengths. Remaining length changes. End pointer never changes. At previous job we converted our whole code base to this system, and it worked great.
I figured the actual length value may be useful without needing pointer arithmetic, but this is a nice solution to the argument taking the size, and the return being the length (size-1, eg p[return]=NUL location.)
I'll consider this idea and write some comparisons to see how it works, thanks.
I should note that I usually write articles to kick off discussions on my own forum, and then revise them after all input is gathered. They almost never appear on other sites, especially pre-revision.
I'm not saying the strmcpy/cat functions there now are the best solution, and I'm open to hearing what's wrong with them so that we can improve upon them.
Granted, it's a tiny example, but you're going to be writing fewer bugs in the long run if you avoid being clever. So here are two rules to start with:
1. Never put more than one statement on one line.
2. Never use the comma operator outside the "for" syntax.
[+] [-] caf|14 years ago|reply
Firstly, strncpy() was not designed to be a "safer strcpy()" at all. It was designed for storing strings in the manner of original UNIX directory entries: in a fixed size buffer, null-padded only if the stored string is shorter than the buffer. This is why it fills the buffer with nulls, and why it doesn't necessarily null-terminate the destination.
Secondly, contrary to what the article implies, strncat() does not work this way: strncat() always null-terminates the destination, and it doesn't write any extra nulls.
[+] [-] byuu|14 years ago|reply
The strncat() behavior is quite confusing. I can understand expecting the buffer to already be null-padded and skipping that step, but always null-terminating the result seems to go against strncpy()'s expected behavior. It also looks mildly dangerous, as the NUL-write can be one after the size given.
[+] [-] acqq|14 years ago|reply
http://computing.fnal.gov/unixatfermilab/html/filesys.html
Having the size so fixed, storing the 15th character that would always be null on the disks (and also in memory) was a pure waste. Note that earliest versions of Unix run in less than 64 KB.
When copying the name to a fixed buffer of 14 characters which is to be stored on the disk, padding the buffer with nulls was also not a performance issue and had a benefit of not leaving "junk" in the buffer.
The problems only happen when people expect from such routines with very specific usage scenarios something for which they were not designed.
So the strncpy was never meant to be "a safer veriant for strcpy." Moreover, strcpy_s is also not a replacement for strncpy, but for a strcpy -- it was introduced to be replaced instead of strcpy in the old code bases as a part of reducing the number of security issues in the old code.
Of course there is (in Microsoft's CRT) strncpy_s, the rationale behind all _s functions is here:
http://msdn.microsoft.com/en-us/library/8ef0s5kh(v=vs.80).as...
"Sized Buffers. The secure functions require that the buffer size be passed to any function that writes to a buffer. The secure versions validate that the buffer is large enough before writing to it, helping to avoid dangerous buffer overrun errors that could allow malicious code to execute. These functions usually return an errno type of error code and invoke the invalid parameter handler if the size of the buffer is too small. Functions that read from input buffers, such as gets, have secure versions that require you to specify a maximum size.
(...)
Null termination. Some functions that left potentially non-terminated strings have secure versions which ensure that strings are properly null terminated."
The article is based on the wrong premises.
Advice: if you work low level with substrings and concatenations, where the performance matters, don't try to fix the str routines, use the pointers. Maintain the pointer to the last character of the area to which you concatenate. Traverse only the characters you need from the source. If you don't care about the performance or exact storage aspects, use much higher level approaches, some string libraries.
[+] [-] sambeau|14 years ago|reply
[+] [-] dchest|14 years ago|reply
[+] [-] tedunangst|14 years ago|reply
[+] [-] koenigdavidmj|14 years ago|reply
[+] [-] jrockway|14 years ago|reply
[+] [-] nas|14 years ago|reply
[+] [-] wickedchicken|14 years ago|reply
Except, interestingly enough, Go code compiled with the standard compilers (5g, 6g, 8g, see http://golang.org/doc/go_faq.html#How_is_the_run_time_suppor...). The Plan9 expats are hell-bent on doing things their own way, I am 70% in agreement with them :).
[+] [-] byuu|14 years ago|reply
[+] [-] justincormack|14 years ago|reply
And much of libc is not well designed for modern code. Mostky I ptogram to the system call API in C.
[+] [-] apaprocki|14 years ago|reply
[+] [-] grout|14 years ago|reply
[+] [-] byuu|14 years ago|reply
I'll consider this idea and write some comparisons to see how it works, thanks.
[+] [-] byuu|14 years ago|reply
I should note that I usually write articles to kick off discussions on my own forum, and then revise them after all input is gathered. They almost never appear on other sites, especially pre-revision.
I'm not saying the strmcpy/cat functions there now are the best solution, and I'm open to hearing what's wrong with them so that we can improve upon them.
[+] [-] dlazar|14 years ago|reply
1. Never put more than one statement on one line.
2. Never use the comma operator outside the "for" syntax.
[+] [-] pixelbeat|14 years ago|reply