Why does strncpy not null terminate?
Solution 1
strncpy()
is not intended to be used as a safer strcpy()
, it is supposed to be used to insert one string in the middle of another.
All those "safe" string handling functions such as snprintf()
and vsnprintf()
are fixes that have been added in later standards to mitigate buffer overflow exploits etc.
Wikipedia mentions strncat()
as an alternative to writing your own safe strncpy()
:
*dst = '\0';
strncat(dst, src, LEN);
EDIT
I missed that strncat()
exceeds LEN characters when null terminating the string if it is longer or equal to LEN char's.
Anyway, the point of using strncat()
instead of any homegrown solution such as memcpy(..., strlen(...))
/whatever is that the implementation of strncat()
might be target/platform optimized in the library.
Of course you need to check that dst holds at least the nullchar, so the correct use of strncat()
would be something like:
if (LEN) {
*dst = '\0'; strncat(dst, src, LEN-1);
}
I also admit that strncpy()
is not very useful for copying a substring into another string, if the src is shorter than n char's, the destination string will be truncated.
Solution 2
Originally, the 7th Edition UNIX file system (see DIR(5)) had directory entries that limited file names to 14 bytes; each entry in a directory consisted of 2 bytes for the inode number plus 14 bytes for the name, null padded to 14 characters, but not necessarily null-terminated. It's my belief that strncpy()
was designed to work with those directory structures - or, at least, it works perfectly for that structure.
Consider:
- A 14 character file name was not null terminated.
- If the name was shorter than 14 bytes, it was null padded to full length (14 bytes).
This is exactly what would be achieved by:
strncpy(inode->d_name, filename, 14);
So, strncpy()
was ideally fitted to its original niche application. It was only coincidentally about preventing overflows of null-terminated strings.
(Note that null padding up to the length 14 is not a serious overhead - if the length of the buffer is 4 KB and all you want is to safely copy 20 characters into it, then the extra 4075 nulls is serious overkill, and can easily lead to quadratic behaviour if you are repeatedly adding material to a long buffer.)
Solution 3
There are already open source implementations like strlcpy that do safe copying.
http://en.wikipedia.org/wiki/Strlcpy
In the references there are links to the sources.
Solution 4
Strncpy is safer against stack overflow attacks by the user of your program, it doesn't protect you against errors you the programmer do, such as printing a non-null-terminated string, the way you've described.
You can avoid crashing from the problem you've described by limiting the number of chars printed by printf:
char my_string[10];
//other code here
printf("%.9s",my_string); //limit the number of chars to be printed to 9
Solution 5
Some new alternatives are specified in ISO/IEC TR 24731 (Check https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/317-BSI.html for info). Most of these functions take an additional parameter that specifies the maximum length of the target variable, ensure that all strings are null-terminated, and have names that end in _s
(for "safe" ?) to differentiate them from their earlier "unsafe" versions.1
Unfortunately, they're still gaining support and may not be available with your particular tool set. Later versions of Visual Studio will throw warnings if you use the old unsafe functions.
If your tools don't support the new functions, it should be fairly easy to create your own wrappers for the old functions. Here's an example:
errCode_t strncpy_safe(char *sDst, size_t lenDst,
const char *sSrc, size_t count)
{
// No NULLs allowed.
if (sDst == NULL || sSrc == NULL)
return ERR_INVALID_ARGUMENT;
// Validate buffer space.
if (count >= lenDst)
return ERR_BUFFER_OVERFLOW;
// Copy and always null-terminate
memcpy(sDst, sSrc, count);
*(sDst + count) = '\0';
return OK;
}
You can change the function to suit your needs, for example, to always copy as much of the string as possible without overflowing. In fact, the VC++ implementation can do this if you pass _TRUNCATE
as the count
.
1Of course, you still need to be accurate about the size of the target buffer: if you supply a 3-character buffer but tell
strcpy_s()
it has space for 25 chars, you're still in trouble.
Timothy Pratley
Updated on June 26, 2020Comments
-
Timothy Pratley about 4 years
strncpy()
supposedly protects from buffer overflows. But if it prevents an overflow without null terminating, in all likelihood a subsequent string operation is going to overflow. So to protect against this I find myself doing:strncpy( dest, src, LEN ); dest[LEN - 1] = '\0';
man strncpy
gives:The
strncpy()
function is similar, except that not more thann
bytes ofsrc
are copied. Thus, if there is no null byte among the firstn
bytes ofsrc
, the result will not be null-terminated.Without null terminating something seemingly innocent like:
printf( "FOO: %s\n", dest );
...could crash.
Are there better, safer alternatives to
strncpy()
? -
Steve Jessop almost 15 years"it is supposed to be used to insert one string in the middle of another" - no, it's intended to write a string into a fixed-width field, such as in a directory entry. That's why it pads the output buffer with NUL if (and only if) the source string is too short.
-
Adam Liss almost 15 yearsHow does setting *dst='\0' make this any safer? It still has the original problem of allowing you to write beyond the end of the target buffer.
-
Martin B almost 15 yearsBecause he's using
strncat
, which concatenates onto the destination string. -
unwind almost 15 yearsYou can't legally define a function whose name starts with str*, that "namespace" is reserved in C.
-
Steve Jessop almost 15 years
*dst = 0
is just there to make strncat work at all (i.e. write to the start of the destination buffer). If LEN+1 is the length of the target buffer, then that is what prevents overrun. Unlike strncpy, strncat always NUL-terminates the output, which is why the above code is a "safer" strcpy alternative than strncpy. Note though that the above code does write up to LEN+1 bytes, not up to LEN bytes, so there is still an excellent opportunity for the user to get it wrong. -
Timothy Pratley almost 15 yearssounds good but shouldn't it be strncat(dst,src,LEN-1) given its going to write an extra character?
-
Timothy Pratley almost 15 yearsah I guess it all depends if dst is LEN or LEN+1 long :)
-
Jonathan Leffler almost 15 yearsSince
strncpy()
null pads a short string to the specified length, I'm not convinced that it is intended for insertion into the middle of other strings. I'll agree with the first part of the first sentence. And the general use ofstrncat()
is dangerous; the calling convention is complex if the destination is not an empty string. Granted, the example shows usingstrncat()
on an empty string - because of the*dst = '\0';
assignment. But the length has to be reduced by the actual length of the current value in the destination to be safe. The TR24731 safe functions are safer. -
Jonathan Leffler almost 15 yearsBut the ISO C committee can - and did. See also: stackoverflow.com/questions/372980/…
-
Steve Jessop almost 15 years@Jonathan: Actually safe would be a datatype combining a pointer to a char buffer, with the length of that buffer. But we all know that's not going to happen. Personally, I'm bone-weary of all these efforts to make something which is inherently unsafe (programmers trying to accurately respect the length of a buffer), some fraction safer. It's not as if we currently have 50% too many buffer overruns, so if only we could make string handling 50% safer we'd be fine :-(
-
Adam Liss almost 15 years@Jonathan: Thanks for the cross-reference to your own question, which provides a lot of additional helpful info.
-
Adam Liss almost 15 yearsWhether to initialize all buffers to zero is a topic of debate in its own right. Personally, I prefer to do so during development/debugging, as it tends to make errors more obvious, but there are plenty of other ("cheaper") options.
-
pixelbeat almost 15 yearsErm why is the _ mangled to %5F in the URL above? Underscore is fine as per RFC 3548.
-
Christoph almost 15 yearsyou only need to set
dest[LEN-1]
to0
- the other bytes will be filled bystrncpy()
if needed (remember:strncpy(s,d,n)
ALWAYS writesn
bytes!) -
Admin almost 15 yearsNot to mention, portable, fast and reliable. You can still misuse it, but the risk is orders of magnitude lower. IMO, strncpy should be deprecated and replaced with the same function called dirnamecpy or something like that. strncpy is not safe string copy and has never been.
-
David Thornley over 14 yearsThe use of the precision field to limit the number of characters printed by
%s
has got to be one of the most obscure features of C. -
c-urchin almost 14 yearsIt's already been said, but my downvote is due to this explanation making no sense, and the suggestion is less than useful -- why not just wrap strncpy and supply the terminal null? Some implementations (as noted by Leffler above) already do specify that they will pad the output with nulls which seems to me to be the right thing to do.
-
supercat over 12 yearsThat particular situation may be obscure, but it's not exactly uncommon to have data structures with fixed-length string fields which are null-padded but not null-terminated. Indeed, if one is storing fixed-format data, that's oftentimes the most efficient way to do it.
-
supercat over 12 yearsGiven
strncpy()
as it exists, one can force the string to be zero-terminated by manually writing a zero byte at the end of the buffer. By contrast, if strncpy() insisted upon always writing a zero-byte following the last useful location, I can't think of any efficient way of updating zero-padded (not terminated) strings. Note that zero-padded strings of known fixed length were and still are a time-efficient means of storing data on disk; storing information in RAM in the same format as it is on disk can also boost performance. -
weston over 12 years@DavidThornley It is documented very clearly in K&R under sprintf.
-
David Thornley over 12 years@weston: And in Harbison & Steele, which is what I've got here at work. Now, in what popular C books, other than those two, is this mentioned? Every feature should be mentioned in K&R and H&S (and is mentioned in the Standard), so if that's the standard of obscurity there are no obscure features.
-
weston over 12 years@DavidThornley I just wanted to balance your comment, because by putting "one of the most obscure features" it makes this answer look bad and people could be put off from using it. Which is wrong as it's a perfectly valid, well documented feature, as well documented as any other use of the precision field. "Obscure" seems to be a matter of opinion, as personally I see this used a lot.
-
che over 11 yearsWe're using macro equivalent to
snprintf(buffer, sizeof(buffer), "%s", src)
. Works fine as long as you remember to never use it on char * destinations -
paxdiablo over 11 years+1 for not repeating the rubbish that strncpy is somehow a safe version of strcpy - the former has its own set of problems.
-
Lê Quang Duy about 6 yearsplease enlighten me, why you want the result is always the length of the src string? in my opinion, return
srclen
will be better since we would know how many characters are really copied. -
hat over 5 yearsEnjoy your guru badge : )
-
Jonathan Lidbeck about 5 years@LêQuangDuy, it's in keeping with the spec (freebsd.org/cgi/man.cgi?query=strlcpy&sektion=3#end): like snprintf, strlcat, it returns the size of the string it tried to write, so the caller can provide a larger buffer and re-invoke the function to store everything.