213 lines
5.3 KiB
Groff
213 lines
5.3 KiB
Groff
.\" $NetBSD: strlcpy.3,v 1.13 2010/04/14 13:07:51 wiz Exp $
|
|
.\" from OpenBSD: strlcpy.3,v 1.11 2000/11/16 23:27:41 angelos Exp
|
|
.\"
|
|
.\" Copyright (c) 1998, 2000 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
|
.\" derived from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd March 1, 2001
|
|
.Dt STRLCPY 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm strlcpy ,
|
|
.Nm strlcat
|
|
.Nd size-bounded string copying and concatenation
|
|
.Sh LIBRARY
|
|
.Lb libc
|
|
.Sh SYNOPSIS
|
|
.In string.h
|
|
.Ft size_t
|
|
.Fn strlcpy "char *dst" "const char *src" "size_t size"
|
|
.Ft size_t
|
|
.Fn strlcat "char *dst" "const char *src" "size_t size"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fn strlcpy
|
|
and
|
|
.Fn strlcat
|
|
functions copy and concatenate strings respectively.
|
|
They are designed
|
|
to be safer, more consistent, and less error prone replacements for
|
|
.Xr strncpy 3
|
|
and
|
|
.Xr strncat 3 .
|
|
Unlike those functions,
|
|
.Fn strlcpy
|
|
and
|
|
.Fn strlcat
|
|
take the full size of the buffer (not just the length) and guarantee to
|
|
NUL-terminate the result (as long as
|
|
.Fa size
|
|
is larger than 0 or, in the case of
|
|
.Fn strlcat ,
|
|
as long as there is at least one byte free in
|
|
.Fa dst ) .
|
|
Note that you should include a byte for the NUL in
|
|
.Fa size .
|
|
Also note that
|
|
.Fn strlcpy
|
|
and
|
|
.Fn strlcat
|
|
only operate on true
|
|
.Dq C
|
|
strings.
|
|
This means that for
|
|
.Fn strlcpy
|
|
.Fa src
|
|
must be NUL-terminated and for
|
|
.Fn strlcat
|
|
both
|
|
.Fa src
|
|
and
|
|
.Fa dst
|
|
must be NUL-terminated.
|
|
.Pp
|
|
The
|
|
.Fn strlcpy
|
|
function copies up to
|
|
.Fa size
|
|
- 1 characters from the NUL-terminated string
|
|
.Fa src
|
|
to
|
|
.Fa dst ,
|
|
NUL-terminating the result.
|
|
.Pp
|
|
The
|
|
.Fn strlcat
|
|
function appends the NUL-terminated string
|
|
.Fa src
|
|
to the end of
|
|
.Fa dst .
|
|
It will append at most
|
|
.Fa size
|
|
- strlen(dst) - 1 bytes, NUL-terminating the result.
|
|
.Sh RETURN VALUES
|
|
The
|
|
.Fn strlcpy
|
|
and
|
|
.Fn strlcat
|
|
functions return the total length of the string they tried to create.
|
|
For
|
|
.Fn strlcpy
|
|
that means the length of
|
|
.Fa src .
|
|
For
|
|
.Fn strlcat
|
|
that means the initial length of
|
|
.Fa dst
|
|
plus
|
|
the length of
|
|
.Fa src .
|
|
While this may seem somewhat confusing it was done to make
|
|
truncation detection simple.
|
|
.Pp
|
|
Note however, that if
|
|
.Fn strlcat
|
|
traverses
|
|
.Fa size
|
|
characters without finding a NUL, the length of the string is considered
|
|
to be
|
|
.Fa size
|
|
and the destination string will not be NUL-terminated (since there was
|
|
no space for the NUL).
|
|
This keeps
|
|
.Fn strlcat
|
|
from running off the end of a string.
|
|
In practice this should not happen (as it means that either
|
|
.Fa size
|
|
is incorrect or that
|
|
.Fa dst
|
|
is not a proper
|
|
.Dq C
|
|
string).
|
|
The check exists to prevent potential security problems in incorrect code.
|
|
.Sh EXAMPLES
|
|
The following code fragment illustrates the simple case:
|
|
.Bd -literal -offset indent
|
|
char *s, *p, buf[BUFSIZ];
|
|
|
|
\&...
|
|
|
|
(void)strlcpy(buf, s, sizeof(buf));
|
|
(void)strlcat(buf, p, sizeof(buf));
|
|
.Ed
|
|
.Pp
|
|
To detect truncation, perhaps while building a pathname, something
|
|
like the following might be used:
|
|
.Bd -literal -offset indent
|
|
char *dir, *file, pname[MAXPATHLEN];
|
|
|
|
\&...
|
|
|
|
if (strlcpy(pname, dir, sizeof(pname)) \*[Ge] sizeof(pname))
|
|
goto toolong;
|
|
if (strlcat(pname, file, sizeof(pname)) \*[Ge] sizeof(pname))
|
|
goto toolong;
|
|
.Ed
|
|
.Pp
|
|
Since we know how many characters we copied the first time, we can
|
|
speed things up a bit by using a copy instead of an append:
|
|
.Bd -literal -offset indent
|
|
char *dir, *file, pname[MAXPATHLEN];
|
|
size_t n;
|
|
|
|
\&...
|
|
|
|
n = strlcpy(pname, dir, sizeof(pname));
|
|
if (n \*[Ge] sizeof(pname))
|
|
goto toolong;
|
|
if (strlcpy(pname + n, file, sizeof(pname) - n) \*[Ge] sizeof(pname) - n)
|
|
goto toolong;
|
|
.Ed
|
|
.Pp
|
|
However, one may question the validity of such optimizations, as they
|
|
defeat the whole purpose of
|
|
.Fn strlcpy
|
|
and
|
|
.Fn strlcat .
|
|
.Sh SEE ALSO
|
|
.Xr snprintf 3 ,
|
|
.Xr strncat 3 ,
|
|
.Xr strncpy 3
|
|
.Rs
|
|
.%A Todd C. Miller
|
|
.%A Theo de Raadt
|
|
.%T strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation
|
|
.%I USENIX Association
|
|
.%B Proceedings of the FREENIX Track: 1999 USENIX Annual Technical Conference
|
|
.%D June 6-11, 1999
|
|
.%U http://www.usenix.org/publications/library/proceedings/usenix99/full_papers/millert/millert.pdf
|
|
.Re
|
|
.Sh HISTORY
|
|
The
|
|
.Fn strlcpy
|
|
and
|
|
.Fn strlcat
|
|
functions first appeared in
|
|
.Ox 2.4 ,
|
|
then in
|
|
.Nx 1.4.3
|
|
and
|
|
.Fx 3.3 .
|