simplify the strlcpy/strlcat manual page substantially. do less

explaining of "what a C string is", and make it more clear that these functiosn BEHAVE EXACTLY LIKE snprintf with "%s"! (anyone who wants to write a 'strlcpy considered harmful' paper should probably write a 'strlcpy and snprintf considered harmful' paper instead). note to those from other projects reading this commit message: It would be very good if this new manual was picked up in your project. ok jmc millert krw
author: deraadt <> 2012-04-02 17:33:11 +0000
committer: deraadt <> 2012-04-02 17:33:11 +0000
commit: 0be23ed0f4fd50120e36d2885c172686ec809f3f (patch)
tree: 243ddb013ff4c755b2049c9808a9646db47be462
parent: b2d1fd8918f095aaf70b8d435a3b7ee0ec0b5ef3 (diff)
download: openbsd-0be23ed0f4fd50120e36d2885c172686ec809f3f.tar.gz
openbsd-0be23ed0f4fd50120e36d2885c172686ec809f3f.tar.bz2
openbsd-0be23ed0f4fd50120e36d2885c172686ec809f3f.zip
1 files changed, 58 insertions, 70 deletions
diff --git a/src/lib/libc/string/strlcpy.3 b/src/lib/libc/string/strlcpy.3
index ead54ec438..e04284d5c3 100644
--- a/src/lib/libc/string/strlcpy.3
+++ b/src/lib/libc/string/strlcpy.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: strlcpy.3,v 1.20 2011/07/25 00:38:53 schwarze Exp $
+.\"     $OpenBSD: strlcpy.3,v 1.21 2012/04/02 17:33:11 deraadt Exp $
 .\"
 .\" Copyright (c) 1998, 2000 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 25 2011 $
+.Dd $Mdocdate: April 2 2012 $
 .Dt STRLCPY 3
 .Os
 .Sh NAME
@@ -24,72 +24,79 @@
 .Sh SYNOPSIS
 .Fd #include <string.h>
 .Ft size_t
-.Fn strlcpy "char *dst" "const char *src" "size_t size"
+.Fn strlcpy "char *dst" "const char *src" "size_t dstsize"
 .Ft size_t
-.Fn strlcat "char *dst" "const char *src" "size_t size"
+.Fn strlcat "char *dst" "const char *src" "size_t dstsize"
 .Sh DESCRIPTION
 The
 .Fn strlcpy
 and
 .Fn strlcat
-functions copy and concatenate strings respectively.
+functions copy and concatenate strings with the
-They are designed
+same input parameters and output result as
-to be safer, more consistent, and less error prone replacements for
+.Xr snprintf 3 .
+They are designed to be safer, more consistent, and less error
+prone replacements for the easily misused functions
 .Xr strncpy 3
 and
 .Xr strncat 3 .
-Unlike those functions,
+.Pp
-.Fn strlcpy
-and
-.Fn strlcat
-take the full size of the buffer (not just the length) and guarantee to
-NUL-terminate the result (as long as
-.Fa size
-is larger than 0 or, in the case of
-.Fn strlcat ,
-as long as there is at least one byte free in
-.Fa dst ) .
-Note that a byte for the NUL should be included in
-.Fa size .
-Also note that
 .Fn strlcpy
 and
 .Fn strlcat
-only operate on true
+take the full size of the destination buffer and guarantee
-.Dq C
+NUL-termination if there is room.
-strings.
+Note that room for the NUL should be included in
-This means that for
+.Fa dstsize .
-.Fn strlcpy
-.Fa src
-must be NUL-terminated and for
-.Fn strlcat
-both
-.Fa src
-and
-.Fa dst
-must be NUL-terminated.
 .Pp
-The
 .Fn strlcpy
-function copies up to
+copies up to
-.Fa size
+.Fa dstsize
- 1 characters from the NUL-terminated string
+\- 1 characters from the string
 .Fa src
 to
 .Fa dst ,
-NUL-terminating the result.
+NUL-terminating the result if
+.Fa dstsize
+is not 0.
 .Pp
-The
 .Fn strlcat
-function appends the NUL-terminated string
+appends string
 .Fa src
 to the end of
 .Fa dst .
 It will append at most
-.Fa size
+.Fa dstsize
- strlen(dst) - 1 bytes, NUL-terminating the result.
+\- strlen(dst) \- 1 characters.
+It will then NUL-terminate, unless
+.Fa dstsize
+is 0 or the original
+.Fa dst
+string was longer than
+.Fa dstsize
+(in practice this should not happen
+as it means that either
+.Fa dstsize
+is incorrect or that
+.Fa dst
+is not a proper string).
 .Sh RETURN VALUES
-The
+Besides quibbles over the return type
+.Pf ( Va size_t
+versus
+.Va int )
+and signal handler safety
+.Xr ( snprintf 3
+is not entirely safe on some systems), the
+following two are equivalent:
+.Bd -literal -offset indent
+n = strlcpy(dst, src, len);
+n = snprintf(dst, len, "%s", src);
+.Ed
+.Pp
+Like
+.Xr snprintf 3 ,
+the
 .Fn strlcpy
 and
 .Fn strlcat
@@ -105,29 +112,12 @@ that means the initial length of
 plus
 the length of
 .Fa src .
-While this may seem somewhat confusing, it was done to make
-truncation detection simple.
 .Pp
-Note, however, that if
+If the return value is
-.Fn strlcat
+.Cm >=
-traverses
+.Va dstsize ,
-.Fa size
+the output string has been truncated.
-characters without finding a NUL, the length of the string is considered
+It is the caller's responsibility to handle this.
-to be
-.Fa size
-and the destination string will not be NUL-terminated (since there was
-no space for the NUL).
-This keeps
-.Fn strlcat
-from running off the end of a string.
-In practice this should not happen (as it means that either
-.Fa size
-is incorrect or that
-.Fa dst
-is not a proper
-.Dq C
-string).
-The check exists to prevent potential security problems in incorrect code.
 .Sh EXAMPLES
 The following code fragment illustrates the simple case:
 .Bd -literal -offset indent
@@ -179,16 +169,14 @@ As a matter of fact, the first version of this manual page got it wrong.
 .Xr strncpy 3 ,
 .Xr wcslcpy 3
 .Sh HISTORY
-The
 .Fn strlcpy
 and
 .Fn strlcat
-functions first appeared in
+first appeared in
 .Ox 2.4 .
 .Sh AUTHORS
-The
 .Fn strlcpy
 and
 .Fn strlcat
-functions were created by
+were created by
 .An Todd C. Miller Aq Todd.Miller@courtesan.com .
author	deraadt <>	2012-04-02 17:33:11 +0000
committer	deraadt <>	2012-04-02 17:33:11 +0000
commit	0be23ed0f4fd50120e36d2885c172686ec809f3f (patch)
tree	243ddb013ff4c755b2049c9808a9646db47be462
parent	b2d1fd8918f095aaf70b8d435a3b7ee0ec0b5ef3 (diff)
download	openbsd-0be23ed0f4fd50120e36d2885c172686ec809f3f.tar.gz openbsd-0be23ed0f4fd50120e36d2885c172686ec809f3f.tar.bz2 openbsd-0be23ed0f4fd50120e36d2885c172686ec809f3f.zip

diff --git a/src/lib/libc/string/strlcpy.3 b/src/lib/libc/string/strlcpy.3 index ead54ec438..e04284d5c3 100644 --- a/src/lib/libc/string/strlcpy.3 +++ b/src/lib/libc/string/strlcpy.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: strlcpy.3,v 1.20 2011/07/25 00:38:53 schwarze Exp $	1	.\" $OpenBSD: strlcpy.3,v 1.21 2012/04/02 17:33:11 deraadt Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 1998, 2000 Todd C. Miller <Todd.Miller@courtesan.com>	3	.\" Copyright (c) 1998, 2000 Todd C. Miller <Todd.Miller@courtesan.com>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: July 25 2011 $	17	.Dd $Mdocdate: April 2 2012 $
18	.Dt STRLCPY 3	18	.Dt STRLCPY 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -24,72 +24,79 @@
24	.Sh SYNOPSIS	24	.Sh SYNOPSIS
25	.Fd #include <string.h>	25	.Fd #include <string.h>
26	.Ft size_t	26	.Ft size_t
27	.Fn strlcpy "char dst" "const char src" "size_t size"	27	.Fn strlcpy "char dst" "const char src" "size_t dstsize"
28	.Ft size_t	28	.Ft size_t
29	.Fn strlcat "char dst" "const char src" "size_t size"	29	.Fn strlcat "char dst" "const char src" "size_t dstsize"
30	.Sh DESCRIPTION	30	.Sh DESCRIPTION
31	The	31	The
32	.Fn strlcpy	32	.Fn strlcpy
33	and	33	and
34	.Fn strlcat	34	.Fn strlcat
35	functions copy and concatenate strings respectively.	35	functions copy and concatenate strings with the
36	They are designed	36	same input parameters and output result as
37	to be safer, more consistent, and less error prone replacements for	37	.Xr snprintf 3 .
		38	They are designed to be safer, more consistent, and less error
		39	prone replacements for the easily misused functions
38	.Xr strncpy 3	40	.Xr strncpy 3
39	and	41	and
40	.Xr strncat 3 .	42	.Xr strncat 3 .
41	Unlike those functions,	43	.Pp
42	.Fn strlcpy
43	and
44	.Fn strlcat
45	take the full size of the buffer (not just the length) and guarantee to
46	NUL-terminate the result (as long as
47	.Fa size
48	is larger than 0 or, in the case of
49	.Fn strlcat ,
50	as long as there is at least one byte free in
51	.Fa dst ) .
52	Note that a byte for the NUL should be included in
53	.Fa size .
54	Also note that
55	.Fn strlcpy	44	.Fn strlcpy
56	and	45	and
57	.Fn strlcat	46	.Fn strlcat
58	only operate on true	47	take the full size of the destination buffer and guarantee
59	.Dq C	48	NUL-termination if there is room.
60	strings.	49	Note that room for the NUL should be included in
61	This means that for	50	.Fa dstsize .
62	.Fn strlcpy
63	.Fa src
64	must be NUL-terminated and for
65	.Fn strlcat
66	both
67	.Fa src
68	and
69	.Fa dst
70	must be NUL-terminated.
71	.Pp	51	.Pp
72	The
73	.Fn strlcpy	52	.Fn strlcpy
74	function copies up to	53	copies up to
75	.Fa size	54	.Fa dstsize
76	- 1 characters from the NUL-terminated string	55	\- 1 characters from the string
77	.Fa src	56	.Fa src
78	to	57	to
79	.Fa dst ,	58	.Fa dst ,
80	NUL-terminating the result.	59	NUL-terminating the result if
		60	.Fa dstsize
		61	is not 0.
81	.Pp	62	.Pp
82	The
83	.Fn strlcat	63	.Fn strlcat
84	function appends the NUL-terminated string	64	appends string
85	.Fa src	65	.Fa src
86	to the end of	66	to the end of
87	.Fa dst .	67	.Fa dst .
88	It will append at most	68	It will append at most
89	.Fa size	69	.Fa dstsize
90	- strlen(dst) - 1 bytes, NUL-terminating the result.	70	\- strlen(dst) \- 1 characters.
		71	It will then NUL-terminate, unless
		72	.Fa dstsize
		73	is 0 or the original
		74	.Fa dst
		75	string was longer than
		76	.Fa dstsize
		77	(in practice this should not happen
		78	as it means that either
		79	.Fa dstsize
		80	is incorrect or that
		81	.Fa dst
		82	is not a proper string).
91	.Sh RETURN VALUES	83	.Sh RETURN VALUES
92	The	84	Besides quibbles over the return type
		85	.Pf ( Va size_t
		86	versus
		87	.Va int )
		88	and signal handler safety
		89	.Xr ( snprintf 3
		90	is not entirely safe on some systems), the
		91	following two are equivalent:
		92	.Bd -literal -offset indent
		93	n = strlcpy(dst, src, len);
		94	n = snprintf(dst, len, "%s", src);
		95	.Ed
		96	.Pp
		97	Like
		98	.Xr snprintf 3 ,
		99	the
93	.Fn strlcpy	100	.Fn strlcpy
94	and	101	and
95	.Fn strlcat	102	.Fn strlcat
@@ -105,29 +112,12 @@ that means the initial length of
105	plus	112	plus
106	the length of	113	the length of
107	.Fa src .	114	.Fa src .
108	While this may seem somewhat confusing, it was done to make
109	truncation detection simple.
110	.Pp	115	.Pp
111	Note, however, that if	116	If the return value is
112	.Fn strlcat	117	.Cm >=
113	traverses	118	.Va dstsize ,
114	.Fa size	119	the output string has been truncated.
115	characters without finding a NUL, the length of the string is considered	120	It is the caller's responsibility to handle this.
116	to be
117	.Fa size
118	and the destination string will not be NUL-terminated (since there was
119	no space for the NUL).
120	This keeps
121	.Fn strlcat
122	from running off the end of a string.
123	In practice this should not happen (as it means that either
124	.Fa size
125	is incorrect or that
126	.Fa dst
127	is not a proper
128	.Dq C
129	string).
130	The check exists to prevent potential security problems in incorrect code.
131	.Sh EXAMPLES	121	.Sh EXAMPLES
132	The following code fragment illustrates the simple case:	122	The following code fragment illustrates the simple case:
133	.Bd -literal -offset indent	123	.Bd -literal -offset indent
@@ -179,16 +169,14 @@ As a matter of fact, the first version of this manual page got it wrong.
179	.Xr strncpy 3 ,	169	.Xr strncpy 3 ,
180	.Xr wcslcpy 3	170	.Xr wcslcpy 3
181	.Sh HISTORY	171	.Sh HISTORY
182	The
183	.Fn strlcpy	172	.Fn strlcpy
184	and	173	and
185	.Fn strlcat	174	.Fn strlcat
186	functions first appeared in	175	first appeared in
187	.Ox 2.4 .	176	.Ox 2.4 .
188	.Sh AUTHORS	177	.Sh AUTHORS
189	The
190	.Fn strlcpy	178	.Fn strlcpy
191	and	179	and
192	.Fn strlcat	180	.Fn strlcat
193	functions were created by	181	were created by
194	.An Todd C. Miller Aq Todd.Miller@courtesan.com .	182	.An Todd C. Miller Aq Todd.Miller@courtesan.com .