Use somewhat harsher language and better examples; demonstrate that

non-dangerous use functions is difficult. ok guenther
author: deraadt <> 2014-04-19 11:30:40 +0000
committer: deraadt <> 2014-04-19 11:30:40 +0000
commit: ac3cb5c172d4edffffbf917c401f9b4bfecea55f (patch)
tree: fcfc398023e666979cbe5ad67cb1e398e980f095 /src/lib/libc/string
parent: d43e1f468c006866ad7261a6e699a0fe621ad9ba (diff)
download: openbsd-ac3cb5c172d4edffffbf917c401f9b4bfecea55f.tar.gz
openbsd-ac3cb5c172d4edffffbf917c401f9b4bfecea55f.tar.bz2
openbsd-ac3cb5c172d4edffffbf917c401f9b4bfecea55f.zip
4 files changed, 88 insertions, 109 deletions
diff --git a/src/lib/libc/string/strcat.3 b/src/lib/libc/string/strcat.3
index fba992edd9..7368d08e4b 100644
--- a/src/lib/libc/string/strcat.3
+++ b/src/lib/libc/string/strcat.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: strcat.3,v 1.16 2013/12/19 20:52:37 millert Exp $
+.\"     $OpenBSD: strcat.3,v 1.17 2014/04/19 11:30:40 deraadt Exp $
 .\"
 .\" Copyright (c) 1990, 1991 The Regents of the University of California.
 .\" All rights reserved.
@@ -31,12 +31,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2013 $
+.Dd $Mdocdate: April 19 2014 $
 .Dt STRCAT 3
 .Os
 .Sh NAME
 .Nm strcat
-.Nd concatenate two strings
+.Nd concatenate two strings without bounds checking
 .Sh SYNOPSIS
 .In string.h
 .Ft char *
@@ -50,22 +50,19 @@ to the end of the NUL-terminated string
 .Fa s ,
 then adds a terminating
 .Ql \e0 .
-The string
+.Pp
-.Fa s
+No bounds checking is performed.
-must have sufficient space to hold the result.
+If the buffer
+.Fa dst
+is not large enough to hold the result,
+subsequent memory will be damaged.
 .Sh RETURN VALUES
 The
 .Fn strcat
 function return the pointer
 .Fa s .
 .Sh SEE ALSO
-.Xr bcopy 3 ,
-.Xr memccpy 3 ,
-.Xr memcpy 3 ,
-.Xr memmove 3 ,
-.Xr strcpy 3 ,
 .Xr strlcpy 3 ,
-.Xr strncat 3 ,
 .Xr wcscat 3 ,
 .Xr wcslcpy 3
 .Sh STANDARDS
diff --git a/src/lib/libc/string/strcpy.3 b/src/lib/libc/string/strcpy.3
index 849184d1f5..7174f7c963 100644
--- a/src/lib/libc/string/strcpy.3
+++ b/src/lib/libc/string/strcpy.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: strcpy.3,v 1.20 2013/12/19 20:52:37 millert Exp $
+.\"     $OpenBSD: strcpy.3,v 1.21 2014/04/19 11:30:40 deraadt Exp $
 .\"
 .\" Copyright (c) 1990, 1991 The Regents of the University of California.
 .\" All rights reserved.
@@ -31,12 +31,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2013 $
+.Dd $Mdocdate: April 19 2014 $
 .Dt STRCPY 3
 .Os
 .Sh NAME
 .Nm strcpy
-.Nd copy a string
+.Nd copy a string without bounds checking
 .Sh SYNOPSIS
 .In string.h
 .Ft char *
@@ -46,43 +46,35 @@ The
 .Fn strcpy
 function copies the string
 .Fa src
-to
-.Fa dst
 (including the terminating
 .Ql \e0
-character).
+character) to the buffer
-The string
+.Fa dst .
+.Pp
+No bounds checking is performed.
+If the buffer
 .Fa dst
-must be at least as large as
+is not large enough to hold the result,
-.Fa src
+subsequent memory will be damaged.
-to hold the result.
 .Pp
 If the
 .Fa src
-and
+string is inside the
 .Fa dst
-strings overlap, the behavior is undefined.
+buffer, the behavior is undefined.
 .Sh RETURN VALUES
 The
 .Fn strcpy
 function returns
 .Fa dst .
 .Sh SEE ALSO
-.Xr bcopy 3 ,
-.Xr memccpy 3 ,
-.Xr memcpy 3 ,
-.Xr memmove 3 ,
-.Xr strcat 3 ,
 .Xr strlcpy 3 ,
-.Xr strncpy 3 ,
 .Xr wcscpy 3 ,
 .Xr wcslcpy 3
 .Sh STANDARDS
 The
 .Fn strcpy
-and
+function conforms to
-.Fn strncpy
-functions conform to
 .St -ansiC .
 .Sh HISTORY
 The
diff --git a/src/lib/libc/string/strncat.3 b/src/lib/libc/string/strncat.3
index bd15ef10fa..c0a0da57c7 100644
--- a/src/lib/libc/string/strncat.3
+++ b/src/lib/libc/string/strncat.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: strncat.3,v 1.2 2013/12/19 22:00:58 jmc Exp $
+.\"     $OpenBSD: strncat.3,v 1.3 2014/04/19 11:30:40 deraadt Exp $
 .\"
 .\" Copyright (c) 1990, 1991 The Regents of the University of California.
 .\" All rights reserved.
@@ -31,7 +31,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2013 $
+.Dd $Mdocdate: April 19 2014 $
 .Dt STRNCAT 3
 .Os
 .Sh NAME
@@ -40,86 +40,91 @@
 .Sh SYNOPSIS
 .In string.h
 .Ft char *
-.Fn strncat "char *s" "const char *append" "size_t count"
+.Fn strncat "char *dst" "const char *append" "size_t count"
 .Sh DESCRIPTION
 The
 .Fn strncat
 function appends not more than
 .Fa count
-characters of the NUL-terminated string
+characters of the string
 .Fa append
-to the end of the NUL-terminated string
+to the end of the string found in the buffer
-.Fa s .
+.Fa dst .
 Space for the terminating
 .Ql \e0
 should not be included in
 .Fa count .
-The string
+.Pp
-.Fa s
+Bounds checking must be performed manually with great care.
-must have sufficient space to hold the result.
+If the buffer
+.Fa dst
+is not large enough to hold the result,
+subsequent memory will be damaged.
 .Sh RETURN VALUES
 The
 .Fn strncat
 function returns the pointer
-.Fa s .
+.Fa dst .
 .Sh EXAMPLES
-The following appends
-.Dq Li abc
-to
-.Va chararray :
-.Bd -literal -offset indent
-char *letters = "abcdefghi";
-(void)strncat(chararray, letters, 3);
-.Ed
-.Pp
 The following example shows how to use
 .Fn strncat
-safely in conjunction with
+in conjunction with
-.Xr strncpy 3 .
+.Xr strncpy 3 :
 .Bd -literal -offset indent
 char buf[BUFSIZ];
-char *input, *suffix;
+char *base, *suffix;
-(void)strncpy(buf, input, sizeof(buf) - 1);
+(void)strncpy(buf, base, sizeof(buf) - 1);
 buf[sizeof(buf) - 1] = '\e0';
 (void)strncat(buf, suffix, sizeof(buf) - 1 - strlen(buf));
 .Ed
 .Pp
 The above will copy as many characters from
-.Va input
+.Va base
 to
 .Va buf
 as will fit.
 It then appends as many characters from
 .Va suffix
-as will fit (or none
+as will fit.
-if there is no space).
+If either
-For operations like this, the
+.Va base
+or
+.Va suffix
+are too large, truncation will occur without detection.
+.Pp
+The above example shows dangerous coding patterns, including an
+inability to detect truncation.
+.Fn strncat
+and
+.Fn strncpy
+are dangerously easy to misuse.
+The
 .Xr strlcpy 3
 and
 .Xr strlcat 3
-functions are a better choice, as shown below.
+functions are safer for this kind of operation:
+.Bd -literal -offset indent
+if (strlcpy(buf, base, sizeof(buf)) >= sizeof(buf) ||
+    strlcat(buf, suffix, sizeof(buf)) >= sizeof(buf))
+        goto toolong;
+.Ed
+or for greatest portability,
 .Bd -literal -offset indent
-(void)strlcpy(buf, input, sizeof(buf));
+if (snprintf(buf, sizeof(buf), "%s%s",
-(void)strlcat(buf, suffix, sizeof(buf));
+    base, suffix) >= sizeof(buf))
+        goto toolong;
 .Ed
 .Sh SEE ALSO
-.Xr bcopy 3 ,
-.Xr memccpy 3 ,
-.Xr memcpy 3 ,
-.Xr memmove 3 ,
-.Xr strcat 3 ,
-.Xr strcpy 3 ,
 .Xr strlcpy 3 ,
 .Xr wcscat 3 ,
 .Xr wcslcpy 3
 .Sh STANDARDS
 The
-.Fn strcat
-and
 .Fn strncat
-functions conform to
+function conform to
 .St -ansiC .
 .Sh HISTORY
 The
diff --git a/src/lib/libc/string/strncpy.3 b/src/lib/libc/string/strncpy.3
index dd8ddb86fc..3a68a0bd5b 100644
--- a/src/lib/libc/string/strncpy.3
+++ b/src/lib/libc/string/strncpy.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: strncpy.3,v 1.1 2013/12/19 20:52:37 millert Exp $
+.\"     $OpenBSD: strncpy.3,v 1.2 2014/04/19 11:30:40 deraadt Exp $
 .\"
 .\" Copyright (c) 1990, 1991 The Regents of the University of California.
 .\" All rights reserved.
@@ -31,7 +31,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2013 $
+.Dd $Mdocdate: April 19 2014 $
 .Dt STRNCPY 3
 .Os
 .Sh NAME
@@ -48,17 +48,16 @@ function copies not more than
 .Fa len
 characters from the string
 .Fa src
-to
+to the buffer
 .Fa dst .
 If
 .Fa src
 is less than
 .Fa len
 characters long,
-it appends
+it fills the remaining buffer with
 .Ql \e0
-characters for the rest of
+characters.
-.Fa len .
 If the length of
 .Fa src
 is greater than or equal to
@@ -68,6 +67,11 @@ will
 .Em not
 be NUL-terminated.
 .Pp
+.Fn strncpy
+.Em only
+NUL terminates the destination string when the length of the source
+string is less than the length parameter.
+.Pp
 If the
 .Fa src
 and
@@ -90,31 +94,17 @@ to
 The following sets
 .Va chararray
 to
-.Dq abcdef
+.Dq abcdef ,
-and does
+without a NUL-terminator:
-.Em not
-NUL terminate
-.Va chararray
-because the length of the source string is greater than or equal to the
-length parameter.
-.Fn strncpy
-.Em only
-NUL terminates the destination string when the length of the source
-string is less than the length parameter.
 .Bd -literal -offset indent
 (void)strncpy(chararray, "abcdefgh", 6);
 .Ed
 .Pp
-The following copies as many characters from
+The following sequence copies as many characters from
 .Va input
 to
 .Va buf
-as will fit and NUL terminates the result.
+as will fit, and then NUL terminates the result by hand:
-Because
-.Fn strncpy
-does
-.Em not
-guarantee to NUL terminate the string itself, it must be done by hand.
 .Bd -literal -offset indent
 char buf[BUFSIZ];
@@ -122,23 +112,18 @@ char buf[BUFSIZ];
 buf[sizeof(buf) - 1] = '\e0';
 .Ed
 .Pp
-Note that
+By now it is clear that
-.Xr strlcpy 3
+.Nm strncpy
-is a better choice for this kind of operation.
+is dangerously easy to misuse.
-The equivalent using
+The
 .Xr strlcpy 3
-is simply:
+function is safer for this kind of operation:
 .Bd -literal -offset indent
-(void)strlcpy(buf, input, sizeof(buf));
+if (strlcpy(buf, input, sizeof(buf)) >= sizeof(buf))
+        goto toolong;
 .Ed
 .Sh SEE ALSO
-.Xr bcopy 3 ,
-.Xr memccpy 3 ,
-.Xr memcpy 3 ,
-.Xr memmove 3 ,
-.Xr strcat 3 ,
 .Xr strlcpy 3 ,
-.Xr strncat 3 ,
 .Xr wcscpy 3 ,
 .Xr wcslcpy 3
 .Sh STANDARDS
author	deraadt <>	2014-04-19 11:30:40 +0000
committer	deraadt <>	2014-04-19 11:30:40 +0000
commit	ac3cb5c172d4edffffbf917c401f9b4bfecea55f (patch)
tree	fcfc398023e666979cbe5ad67cb1e398e980f095 /src/lib/libc/string
parent	d43e1f468c006866ad7261a6e699a0fe621ad9ba (diff)
download	openbsd-ac3cb5c172d4edffffbf917c401f9b4bfecea55f.tar.gz openbsd-ac3cb5c172d4edffffbf917c401f9b4bfecea55f.tar.bz2 openbsd-ac3cb5c172d4edffffbf917c401f9b4bfecea55f.zip

diff --git a/src/lib/libc/string/strcat.3 b/src/lib/libc/string/strcat.3 index fba992edd9..7368d08e4b 100644 --- a/src/lib/libc/string/strcat.3 +++ b/src/lib/libc/string/strcat.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: strcat.3,v 1.16 2013/12/19 20:52:37 millert Exp $	1	.\" $OpenBSD: strcat.3,v 1.17 2014/04/19 11:30:40 deraadt Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.	3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.
4	.\" All rights reserved.	4	.\" All rights reserved.
@@ -31,12 +31,12 @@
31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF	31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32	.\" SUCH DAMAGE.	32	.\" SUCH DAMAGE.
33	.\"	33	.\"
34	.Dd $Mdocdate: December 19 2013 $	34	.Dd $Mdocdate: April 19 2014 $
35	.Dt STRCAT 3	35	.Dt STRCAT 3
36	.Os	36	.Os
37	.Sh NAME	37	.Sh NAME
38	.Nm strcat	38	.Nm strcat
39	.Nd concatenate two strings	39	.Nd concatenate two strings without bounds checking
40	.Sh SYNOPSIS	40	.Sh SYNOPSIS
41	.In string.h	41	.In string.h
42	.Ft char *	42	.Ft char *
@@ -50,22 +50,19 @@ to the end of the NUL-terminated string
50	.Fa s ,	50	.Fa s ,
51	then adds a terminating	51	then adds a terminating
52	.Ql \e0 .	52	.Ql \e0 .
53	The string	53	.Pp
54	.Fa s	54	No bounds checking is performed.
55	must have sufficient space to hold the result.	55	If the buffer
		56	.Fa dst
		57	is not large enough to hold the result,
		58	subsequent memory will be damaged.
56	.Sh RETURN VALUES	59	.Sh RETURN VALUES
57	The	60	The
58	.Fn strcat	61	.Fn strcat
59	function return the pointer	62	function return the pointer
60	.Fa s .	63	.Fa s .
61	.Sh SEE ALSO	64	.Sh SEE ALSO
62	.Xr bcopy 3 ,
63	.Xr memccpy 3 ,
64	.Xr memcpy 3 ,
65	.Xr memmove 3 ,
66	.Xr strcpy 3 ,
67	.Xr strlcpy 3 ,	65	.Xr strlcpy 3 ,
68	.Xr strncat 3 ,
69	.Xr wcscat 3 ,	66	.Xr wcscat 3 ,
70	.Xr wcslcpy 3	67	.Xr wcslcpy 3
71	.Sh STANDARDS	68	.Sh STANDARDS


diff --git a/src/lib/libc/string/strcpy.3 b/src/lib/libc/string/strcpy.3 index 849184d1f5..7174f7c963 100644 --- a/src/lib/libc/string/strcpy.3 +++ b/src/lib/libc/string/strcpy.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: strcpy.3,v 1.20 2013/12/19 20:52:37 millert Exp $	1	.\" $OpenBSD: strcpy.3,v 1.21 2014/04/19 11:30:40 deraadt Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.	3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.
4	.\" All rights reserved.	4	.\" All rights reserved.
@@ -31,12 +31,12 @@
31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF	31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32	.\" SUCH DAMAGE.	32	.\" SUCH DAMAGE.
33	.\"	33	.\"
34	.Dd $Mdocdate: December 19 2013 $	34	.Dd $Mdocdate: April 19 2014 $
35	.Dt STRCPY 3	35	.Dt STRCPY 3
36	.Os	36	.Os
37	.Sh NAME	37	.Sh NAME
38	.Nm strcpy	38	.Nm strcpy
39	.Nd copy a string	39	.Nd copy a string without bounds checking
40	.Sh SYNOPSIS	40	.Sh SYNOPSIS
41	.In string.h	41	.In string.h
42	.Ft char *	42	.Ft char *
@@ -46,43 +46,35 @@ The
46	.Fn strcpy	46	.Fn strcpy
47	function copies the string	47	function copies the string
48	.Fa src	48	.Fa src
49	to
50	.Fa dst
51	(including the terminating	49	(including the terminating
52	.Ql \e0	50	.Ql \e0
53	character).	51	character) to the buffer
54	The string	52	.Fa dst .
		53	.Pp
		54	No bounds checking is performed.
		55	If the buffer
55	.Fa dst	56	.Fa dst
56	must be at least as large as	57	is not large enough to hold the result,
57	.Fa src	58	subsequent memory will be damaged.
58	to hold the result.
59	.Pp	59	.Pp
60	If the	60	If the
61	.Fa src	61	.Fa src
62	and	62	string is inside the
63	.Fa dst	63	.Fa dst
64	strings overlap, the behavior is undefined.	64	buffer, the behavior is undefined.
65	.Sh RETURN VALUES	65	.Sh RETURN VALUES
66	The	66	The
67	.Fn strcpy	67	.Fn strcpy
68	function returns	68	function returns
69	.Fa dst .	69	.Fa dst .
70	.Sh SEE ALSO	70	.Sh SEE ALSO
71	.Xr bcopy 3 ,
72	.Xr memccpy 3 ,
73	.Xr memcpy 3 ,
74	.Xr memmove 3 ,
75	.Xr strcat 3 ,
76	.Xr strlcpy 3 ,	71	.Xr strlcpy 3 ,
77	.Xr strncpy 3 ,
78	.Xr wcscpy 3 ,	72	.Xr wcscpy 3 ,
79	.Xr wcslcpy 3	73	.Xr wcslcpy 3
80	.Sh STANDARDS	74	.Sh STANDARDS
81	The	75	The
82	.Fn strcpy	76	.Fn strcpy
83	and	77	function conforms to
84	.Fn strncpy
85	functions conform to
86	.St -ansiC .	78	.St -ansiC .
87	.Sh HISTORY	79	.Sh HISTORY
88	The	80	The


diff --git a/src/lib/libc/string/strncat.3 b/src/lib/libc/string/strncat.3 index bd15ef10fa..c0a0da57c7 100644 --- a/src/lib/libc/string/strncat.3 +++ b/src/lib/libc/string/strncat.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: strncat.3,v 1.2 2013/12/19 22:00:58 jmc Exp $	1	.\" $OpenBSD: strncat.3,v 1.3 2014/04/19 11:30:40 deraadt Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.	3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.
4	.\" All rights reserved.	4	.\" All rights reserved.
@@ -31,7 +31,7 @@
31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF	31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32	.\" SUCH DAMAGE.	32	.\" SUCH DAMAGE.
33	.\"	33	.\"
34	.Dd $Mdocdate: December 19 2013 $	34	.Dd $Mdocdate: April 19 2014 $
35	.Dt STRNCAT 3	35	.Dt STRNCAT 3
36	.Os	36	.Os
37	.Sh NAME	37	.Sh NAME
@@ -40,86 +40,91 @@
40	.Sh SYNOPSIS	40	.Sh SYNOPSIS
41	.In string.h	41	.In string.h
42	.Ft char *	42	.Ft char *
43	.Fn strncat "char s" "const char append" "size_t count"	43	.Fn strncat "char dst" "const char append" "size_t count"
44	.Sh DESCRIPTION	44	.Sh DESCRIPTION
45	The	45	The
46	.Fn strncat	46	.Fn strncat
47	function appends not more than	47	function appends not more than
48	.Fa count	48	.Fa count
49	characters of the NUL-terminated string	49	characters of the string
50	.Fa append	50	.Fa append
51	to the end of the NUL-terminated string	51	to the end of the string found in the buffer
52	.Fa s .	52	.Fa dst .
53	Space for the terminating	53	Space for the terminating
54	.Ql \e0	54	.Ql \e0
55	should not be included in	55	should not be included in
56	.Fa count .	56	.Fa count .
57	The string	57	.Pp
58	.Fa s	58	Bounds checking must be performed manually with great care.
59	must have sufficient space to hold the result.	59	If the buffer
		60	.Fa dst
		61	is not large enough to hold the result,
		62	subsequent memory will be damaged.
60	.Sh RETURN VALUES	63	.Sh RETURN VALUES
61	The	64	The
62	.Fn strncat	65	.Fn strncat
63	function returns the pointer	66	function returns the pointer
64	.Fa s .	67	.Fa dst .
65	.Sh EXAMPLES	68	.Sh EXAMPLES
66	The following appends
67	.Dq Li abc
68	to
69	.Va chararray :
70	.Bd -literal -offset indent
71	char *letters = "abcdefghi";
72
73	(void)strncat(chararray, letters, 3);
74	.Ed
75	.Pp
76	The following example shows how to use	69	The following example shows how to use
77	.Fn strncat	70	.Fn strncat
78	safely in conjunction with	71	in conjunction with
79	.Xr strncpy 3 .	72	.Xr strncpy 3 :
80	.Bd -literal -offset indent	73	.Bd -literal -offset indent
81	char buf[BUFSIZ];	74	char buf[BUFSIZ];
82	char input, suffix;	75	char base, suffix;
83		76
84	(void)strncpy(buf, input, sizeof(buf) - 1);	77	(void)strncpy(buf, base, sizeof(buf) - 1);
85	buf[sizeof(buf) - 1] = '\e0';	78	buf[sizeof(buf) - 1] = '\e0';
86	(void)strncat(buf, suffix, sizeof(buf) - 1 - strlen(buf));	79	(void)strncat(buf, suffix, sizeof(buf) - 1 - strlen(buf));
87	.Ed	80	.Ed
88	.Pp	81	.Pp
89	The above will copy as many characters from	82	The above will copy as many characters from
90	.Va input	83	.Va base
91	to	84	to
92	.Va buf	85	.Va buf
93	as will fit.	86	as will fit.
94	It then appends as many characters from	87	It then appends as many characters from
95	.Va suffix	88	.Va suffix
96	as will fit (or none	89	as will fit.
97	if there is no space).	90	If either
98	For operations like this, the	91	.Va base
		92	or
		93	.Va suffix
		94	are too large, truncation will occur without detection.
		95	.Pp
		96	The above example shows dangerous coding patterns, including an
		97	inability to detect truncation.
		98	.Fn strncat
		99	and
		100	.Fn strncpy
		101	are dangerously easy to misuse.
		102	The
99	.Xr strlcpy 3	103	.Xr strlcpy 3
100	and	104	and
101	.Xr strlcat 3	105	.Xr strlcat 3
102	functions are a better choice, as shown below.	106	functions are safer for this kind of operation:
		107	.Bd -literal -offset indent
		108	if (strlcpy(buf, base, sizeof(buf)) >= sizeof(buf) \|\|
		109	strlcat(buf, suffix, sizeof(buf)) >= sizeof(buf))
		110	goto toolong;
		111
		112	.Ed
		113	or for greatest portability,
103	.Bd -literal -offset indent	114	.Bd -literal -offset indent
104	(void)strlcpy(buf, input, sizeof(buf));	115	if (snprintf(buf, sizeof(buf), "%s%s",
105	(void)strlcat(buf, suffix, sizeof(buf));	116	base, suffix) >= sizeof(buf))
		117	goto toolong;
106	.Ed	118	.Ed
		119
107	.Sh SEE ALSO	120	.Sh SEE ALSO
108	.Xr bcopy 3 ,
109	.Xr memccpy 3 ,
110	.Xr memcpy 3 ,
111	.Xr memmove 3 ,
112	.Xr strcat 3 ,
113	.Xr strcpy 3 ,
114	.Xr strlcpy 3 ,	121	.Xr strlcpy 3 ,
115	.Xr wcscat 3 ,	122	.Xr wcscat 3 ,
116	.Xr wcslcpy 3	123	.Xr wcslcpy 3
117	.Sh STANDARDS	124	.Sh STANDARDS
118	The	125	The
119	.Fn strcat
120	and
121	.Fn strncat	126	.Fn strncat
122	functions conform to	127	function conform to
123	.St -ansiC .	128	.St -ansiC .
124	.Sh HISTORY	129	.Sh HISTORY
125	The	130	The


diff --git a/src/lib/libc/string/strncpy.3 b/src/lib/libc/string/strncpy.3 index dd8ddb86fc..3a68a0bd5b 100644 --- a/src/lib/libc/string/strncpy.3 +++ b/src/lib/libc/string/strncpy.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: strncpy.3,v 1.1 2013/12/19 20:52:37 millert Exp $	1	.\" $OpenBSD: strncpy.3,v 1.2 2014/04/19 11:30:40 deraadt Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.	3	.\" Copyright (c) 1990, 1991 The Regents of the University of California.
4	.\" All rights reserved.	4	.\" All rights reserved.
@@ -31,7 +31,7 @@
31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF	31	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32	.\" SUCH DAMAGE.	32	.\" SUCH DAMAGE.
33	.\"	33	.\"
34	.Dd $Mdocdate: December 19 2013 $	34	.Dd $Mdocdate: April 19 2014 $
35	.Dt STRNCPY 3	35	.Dt STRNCPY 3
36	.Os	36	.Os
37	.Sh NAME	37	.Sh NAME
@@ -48,17 +48,16 @@ function copies not more than
48	.Fa len	48	.Fa len
49	characters from the string	49	characters from the string
50	.Fa src	50	.Fa src
51	to	51	to the buffer
52	.Fa dst .	52	.Fa dst .
53	If	53	If
54	.Fa src	54	.Fa src
55	is less than	55	is less than
56	.Fa len	56	.Fa len
57	characters long,	57	characters long,
58	it appends	58	it fills the remaining buffer with
59	.Ql \e0	59	.Ql \e0
60	characters for the rest of	60	characters.
61	.Fa len .
62	If the length of	61	If the length of
63	.Fa src	62	.Fa src
64	is greater than or equal to	63	is greater than or equal to
@@ -68,6 +67,11 @@ will
68	.Em not	67	.Em not
69	be NUL-terminated.	68	be NUL-terminated.
70	.Pp	69	.Pp
		70	.Fn strncpy
		71	.Em only
		72	NUL terminates the destination string when the length of the source
		73	string is less than the length parameter.
		74	.Pp
71	If the	75	If the
72	.Fa src	76	.Fa src
73	and	77	and
@@ -90,31 +94,17 @@ to
90	The following sets	94	The following sets
91	.Va chararray	95	.Va chararray
92	to	96	to
93	.Dq abcdef	97	.Dq abcdef ,
94	and does	98	without a NUL-terminator:
95	.Em not
96	NUL terminate
97	.Va chararray
98	because the length of the source string is greater than or equal to the
99	length parameter.
100	.Fn strncpy
101	.Em only
102	NUL terminates the destination string when the length of the source
103	string is less than the length parameter.
104	.Bd -literal -offset indent	99	.Bd -literal -offset indent
105	(void)strncpy(chararray, "abcdefgh", 6);	100	(void)strncpy(chararray, "abcdefgh", 6);
106	.Ed	101	.Ed
107	.Pp	102	.Pp
108	The following copies as many characters from	103	The following sequence copies as many characters from
109	.Va input	104	.Va input
110	to	105	to
111	.Va buf	106	.Va buf
112	as will fit and NUL terminates the result.	107	as will fit, and then NUL terminates the result by hand:
113	Because
114	.Fn strncpy
115	does
116	.Em not
117	guarantee to NUL terminate the string itself, it must be done by hand.
118	.Bd -literal -offset indent	108	.Bd -literal -offset indent
119	char buf[BUFSIZ];	109	char buf[BUFSIZ];
120		110
@@ -122,23 +112,18 @@ char buf[BUFSIZ];
122	buf[sizeof(buf) - 1] = '\e0';	112	buf[sizeof(buf) - 1] = '\e0';
123	.Ed	113	.Ed
124	.Pp	114	.Pp
125	Note that	115	By now it is clear that
126	.Xr strlcpy 3	116	.Nm strncpy
127	is a better choice for this kind of operation.	117	is dangerously easy to misuse.
128	The equivalent using	118	The
129	.Xr strlcpy 3	119	.Xr strlcpy 3
130	is simply:	120	function is safer for this kind of operation:
131	.Bd -literal -offset indent	121	.Bd -literal -offset indent
132	(void)strlcpy(buf, input, sizeof(buf));	122	if (strlcpy(buf, input, sizeof(buf)) >= sizeof(buf))
		123	goto toolong;
133	.Ed	124	.Ed
134	.Sh SEE ALSO	125	.Sh SEE ALSO
135	.Xr bcopy 3 ,
136	.Xr memccpy 3 ,
137	.Xr memcpy 3 ,
138	.Xr memmove 3 ,
139	.Xr strcat 3 ,
140	.Xr strlcpy 3 ,	126	.Xr strlcpy 3 ,
141	.Xr strncat 3 ,
142	.Xr wcscpy 3 ,	127	.Xr wcscpy 3 ,
143	.Xr wcslcpy 3	128	.Xr wcslcpy 3
144	.Sh STANDARDS	129	.Sh STANDARDS