www/papers/strlcpy-paper.ps - view

Return to strlcpy-paper.ps CVS log

Up to [local] / www / papers

File: [local] / www / papers / strlcpy-paper.ps (download)

Revision 1.1, Mon Jun 14 06:59:39 1999 UTC (24 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: HEAD

usenix 99 papers

%!PS-Adobe-3.0
%%Creator: groff version 1.11
%%CreationDate: Mon Apr 26 11:30:42 1999
%%DocumentNeededResources: font Times-Bold
%%+ font Times-Italic
%%+ font Times-Roman
%%+ font Courier
%%DocumentSuppliedResources: procset grops 1.11 0
%%Pages: 4
%%PageOrder: Ascend
%%Orientation: Portrait
%%EndComments
%%BeginProlog
%%BeginResource: procset grops 1.11 0
/setpacking where{
pop
currentpacking
true setpacking
}if
/grops 120 dict dup begin
/SC 32 def
/A/show load def
/B{0 SC 3 -1 roll widthshow}bind def
/C{0 exch ashow}bind def
/D{0 exch 0 SC 5 2 roll awidthshow}bind def
/E{0 rmoveto show}bind def
/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
/G{0 rmoveto 0 exch ashow}bind def
/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/I{0 exch rmoveto show}bind def
/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
/K{0 exch rmoveto 0 exch ashow}bind def
/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/M{rmoveto show}bind def
/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
/O{rmoveto 0 exch ashow}bind def
/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/Q{moveto show}bind def
/R{moveto 0 SC 3 -1 roll widthshow}bind def
/S{moveto 0 exch ashow}bind def
/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
/SF{
findfont exch
[exch dup 0 exch 0 exch neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/MF{
findfont
[5 2 roll
0 3 1 roll
neg 0 0]makefont
dup setfont
[exch/setfont cvx]cvx bind def
}bind def
/level0 0 def
/RES 0 def
/PL 0 def
/LS 0 def
/MANUAL{
statusdict begin/manualfeed true store end
}bind def
/PLG{
gsave newpath clippath pathbbox grestore
exch pop add exch pop
}bind def
/BP{
/level0 save def
1 setlinecap
1 setlinejoin
72 RES div dup scale
LS{
90 rotate
}{
0 PL translate
}ifelse
1 -1 scale
}bind def
/EP{
level0 restore
showpage
}bind def
/DA{
newpath arcn stroke
}bind def
/SN{
transform
.25 sub exch .25 sub exch
round .25 add exch round .25 add exch
itransform
}bind def
/DL{
SN
moveto
SN
lineto stroke
}bind def
/DC{
newpath 0 360 arc closepath
}bind def
/TM matrix def
/DE{
TM currentmatrix pop
translate scale newpath 0 0 .5 0 360 arc closepath
TM setmatrix
}bind def
/RC/rcurveto load def
/RL/rlineto load def
/ST/stroke load def
/MT/moveto load def
/CL/closepath load def
/FL{
currentgray exch setgray fill setgray
}bind def
/BL/fill load def
/LW/setlinewidth load def
/RE{
findfont
dup maxlength 1 index/FontName known not{1 add}if dict begin
{
1 index/FID ne{def}{pop pop}ifelse
}forall
/Encoding exch def
dup/FontName exch def
currentdict end definefont pop
}bind def
/DEFS 0 def
/EBEGIN{
moveto
DEFS begin
}bind def
/EEND/end load def
/CNT 0 def
/level1 0 def
/PBEGIN{
/level1 save def
translate
div 3 1 roll div exch scale
neg exch neg exch translate
0 setgray
0 setlinecap
1 setlinewidth
0 setlinejoin
10 setmiterlimit
[]0 setdash
/setstrokeadjust where{
pop
false setstrokeadjust
}if
/setoverprint where{
pop
false setoverprint
}if
newpath
/CNT countdictstack def
userdict begin
/showpage{}def
}bind def
/PEND{
clear
countdictstack CNT sub{end}repeat
level1 restore
}bind def
end def
/setpacking where{
pop
setpacking
}if
%%EndResource
%%IncludeResource: font Times-Bold
%%IncludeResource: font Times-Italic
%%IncludeResource: font Times-Roman
%%IncludeResource: font Courier
grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
def/PL 792 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron/Zcaron
/scaron/zcaron/Ydieresis/trademark/quotesingle/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
/Times-Italic@0 ENC0/Times-Italic RE/Times-Bold@0 ENC0/Times-Bold RE
%%EndProlog
%%Page: 1 1
%%BeginPageSetup
BP
%%EndPageSetup
/F0 14/Times-Bold@0 SF(strlcpy and strlcat \212 consistent, safe, strin\
g copy and concatenation.)101.453 100.8 Q/F1 12/Times-Italic@0 SF -1.104
(To)270.714 129.6 S(dd C. Miller)1.104 E(Univer)228.15 145.44 Q
(sity of Color)-.12 E(ado, Boulder)-.18 E(Theo de Raadt)271.002 163.44 Q
(OpenBSD pr)263.778 179.28 Q(oject)-.54 E/F2 12/Times-Bold@0 SF
(Abstract)283.674 215.28 Q/F3 10/Times-Roman@0 SF 1.349(As the pre)97
231.48 R -.25(va)-.25 G 1.348(lence of b).25 F(uf)-.2 E 1.348(fer o)-.25
F -.15(ve)-.15 G(r\215o).15 E 3.848(wa)-.25 G 1.348
(ttacks has increased, more and more programmers are using size or)
-3.848 F 1.174(length-bounded string functions such as strncp)72 243.48
R 1.175(y\(\) and strncat\(\).)-.1 F 1.175
(While this is certainly an encouraging trend, the)6.175 F .607(standar\
d C string functions generally used were not really designed for the ta\
sk.)72 255.48 R .607(This paper describes an alternate,)5.607 F(intuiti)
72 267.48 Q -.15(ve)-.25 G 2.5(,a).15 G
(nd consistent API designed with safe string copies in mind.)-2.5 E .911
(There are se)72 283.68 R -.15(ve)-.25 G .911
(ral problems encountered when strncp).15 F .911
(y\(\) and strncat\(\) are used as safe v)-.1 F .911(ersions of strcp)
-.15 F .912(y\(\) and str)-.1 F(-)-.2 E 3.255(cat\(\). Both)72 295.68 R
.755
(functions deal with NUL-termination and the length parameter in dif)
3.255 F .754(ferent and non-intuiti)-.25 F 1.054 -.15(ve w)-.25 H .754
(ays that).05 F .536(confuse e)72 307.68 R -.15(ve)-.25 G 3.036(ne).15 G
.536(xperienced programmers.)-3.186 F(The)5.536 E 3.036(ya)-.15 G .536
(lso pro)-3.036 F .536(vide no easy w)-.15 F .536
(ay to detect when truncation occurs.)-.1 F(Finally)5.536 E(,)-.65 E
(strncp)72 319.68 Q .553(y\(\) zero-\214lls the remainder of the destin\
ation string, incurring a performance penalty)-.1 F 5.552(.O)-.65 G
3.052(fa)-5.552 G .552(ll these issues, the)-3.052 F .436(confusion cau\
sed by the length parameters and the related issue of NUL-termination a\
re most important.)72 331.68 R .437(When we)5.437 F .911(audited the Op\
enBSD source tree for potential security holes we found rampant misuse \
of strncp)72 343.68 R .911(y\(\) and strncat\(\).)-.1 F .437
(While not all of these resulted in e)72 355.68 R .437
(xploitable security holes, the)-.15 F 2.938(ym)-.15 G .438
(ade it clear that the rules for using strncp)-2.938 F .438(y\(\) and)
-.1 F .208
(strncat\(\) in safe string operations are widely misunderstood.)72
367.68 R .208(The proposed replacement functions, strlcp)5.208 F .207
(y\(\) and strl-)-.1 F .496(cat\(\), address these problems by presenti\
ng an API designed for safe string copies \(see Figure 1 for function p\
roto-)72 379.68 R 3.488(types\). Both)72 391.68 R .988
(functions guarantee NUL-termination, tak)3.488 F 3.488(ea)-.1 G 3.488
(sal)-3.488 G .987(ength parameter the size of the string in bytes, and)
-3.488 F(pro)72 403.68 Q(vide an easy w)-.15 E(ay to detect truncation.)
-.1 E(Neither function zero-\214lls unused bytes in the destination.)5 E
F2(Intr)148.438 430.08 Q(oduction)-.216 E F3 1.96
(In the middle of 1996, the authors, along with)97 446.28 R 1.053
(other members of the OpenBSD project, undertook an)72 458.28 R .921
(audit of the OpenBSD source tree looking for security)72 470.28 R 2.537
(problems, starting with an emphasis on b)72 482.28 R(uf)-.2 E 2.537
(fer o)-.25 F -.15(ve)-.15 G -.2(r-).15 G<8d6f>72 494.28 Q 2.911
(ws. Buf)-.25 F .411(fer o)-.25 F -.15(ve)-.15 G(r\215o).15 E .411
(ws [1] had recently gotten a lot of)-.25 F .087
(attention in forums such as BugT)72 506.28 R .086
(raq [2] and were being)-.35 F 1.508(widely e)72 518.28 R 6.508
(xploited. W)-.15 F 4.009(ef)-.8 G 1.509(ound a lar)-4.009 F 1.509
(ge number of o)-.18 F -.15(ve)-.15 G -.2(r-).15 G<8d6f>72 530.28 Q
1.879(ws due to unbounded string copies using sprintf\(\),)-.25 F(strcp)
72 542.28 Q .969
(y\(\) and strcat\(\), as well as loops that manipulated)-.1 F 1.91
(strings without an e)72 554.28 R 1.91
(xplicate length check in the loop)-.15 F(in)72 566.28 Q -.25(va)-.4 G
3.643(riant. Additionally).25 F 3.643(,w)-.65 G 3.643(ea)-3.643 G 1.143
(lso found man)-3.643 F 3.644(yi)-.15 G(nstances)-3.644 E 3.561
(where the programmer had tried to do safe string)72 578.28 R 1.307
(manipulation with strncp)72 590.28 R 1.307(y\(\) and strncat\(\) b)-.1
F 1.307(ut f)-.2 F 1.308(ailed to)-.1 F
(grasp the subtleties of the API.)72 602.28 Q .016
(Thus, when auditing code, we found that not only)97 618.48 R -.1(wa)72
630.48 S 2.993(si).1 G 2.993(tn)-2.993 G .493
(ecessary to check for unsafe usage of functions)-2.993 F(lik)72 642.48
Q 5.319(es)-.1 G(trcp)-5.319 E 2.819
(y\(\) and strcat\(\), we also had to check for)-.1 F .158
(incorrect usage of strncp)72 654.48 R .159(y\(\) and strncat\(\).)-.1 F
.159(Checking for)5.159 F 1.555(correct usage is not al)72 666.48 R -.1
(wa)-.1 G 1.555(ys ob).1 F 1.555(vious, especially in the)-.15 F 1.638
(case of \231static\232 v)72 678.48 R 1.639(ariables or b)-.25 F(uf)-.2
E 1.639(fers allocated via cal-)-.25 F .076(loc\(\), which are ef)72
690.48 R(fecti)-.25 E -.15(ve)-.25 G .076(ly pre-terminated.).15 F 1.675
-.8(We c)5.076 H .075(ame to).8 F 1.164
(the conclusion that a foolproof alternati)72 702.48 R 1.465 -.15(ve t)
-.25 H 3.665(os).15 G(trncp)-3.665 E(y\(\))-.1 E .829(and strncat\(\) w)
72 714.48 R .829(as needed, primarily to simplify the job)-.1 F .403
(of the programmer)316 427.68 R 2.903(,b)-.4 G .403(ut also to mak)
-3.103 F 2.904(ec)-.1 G .404(ode auditing eas-)-2.904 F(ier)316 439.68 Q
(.)-.55 E .4 LW 321 455.88 316 455.88 DL 325 455.88 320 455.88 DL 330
455.88 325 455.88 DL 335 455.88 330 455.88 DL 340 455.88 335 455.88 DL
345 455.88 340 455.88 DL 350 455.88 345 455.88 DL 355 455.88 350 455.88
DL 360 455.88 355 455.88 DL 365 455.88 360 455.88 DL 370 455.88 365
455.88 DL 375 455.88 370 455.88 DL 380 455.88 375 455.88 DL 385 455.88
380 455.88 DL 390 455.88 385 455.88 DL 395 455.88 390 455.88 DL 400
455.88 395 455.88 DL 405 455.88 400 455.88 DL 410 455.88 405 455.88 DL
415 455.88 410 455.88 DL 420 455.88 415 455.88 DL 425 455.88 420 455.88
DL 430 455.88 425 455.88 DL 435 455.88 430 455.88 DL 440 455.88 435
455.88 DL 445 455.88 440 455.88 DL 450 455.88 445 455.88 DL 455 455.88
450 455.88 DL 460 455.88 455 455.88 DL 465 455.88 460 455.88 DL 470
455.88 465 455.88 DL 475 455.88 470 455.88 DL 480 455.88 475 455.88 DL
485 455.88 480 455.88 DL 490 455.88 485 455.88 DL 495 455.88 490 455.88
DL 500 455.88 495 455.88 DL 505 455.88 500 455.88 DL 510 455.88 505
455.88 DL 515 455.88 510 455.88 DL 520 455.88 515 455.88 DL 525 455.88
520 455.88 DL 530 455.88 525 455.88 DL 535 455.88 530 455.88 DL 540
455.88 535 455.88 DL/F4 10/Courier@0 SF(size_t strlcpy\(char *dst, \\)
316 479.88 Q(const char *src, size_t size\);)340 491.88 Q
(size_t strlcat\(char *dst, \\)316 503.88 Q
(const char *src, size_t size\);)340 515.88 Q/F5 10/Times-Bold@0 SF
(Figur)318.16 539.88 Q 2.5(e1)-.18 G(:)-2.5 E F3
(ANSI C prototypes for strlcp)2.5 E(y\(\) and strlcat\(\))-.1 E 321
551.88 316 551.88 DL 325 551.88 320 551.88 DL 330 551.88 325 551.88 DL
335 551.88 330 551.88 DL 340 551.88 335 551.88 DL 345 551.88 340 551.88
DL 350 551.88 345 551.88 DL 355 551.88 350 551.88 DL 360 551.88 355
551.88 DL 365 551.88 360 551.88 DL 370 551.88 365 551.88 DL 375 551.88
370 551.88 DL 380 551.88 375 551.88 DL 385 551.88 380 551.88 DL 390
551.88 385 551.88 DL 395 551.88 390 551.88 DL 400 551.88 395 551.88 DL
405 551.88 400 551.88 DL 410 551.88 405 551.88 DL 415 551.88 410 551.88
DL 420 551.88 415 551.88 DL 425 551.88 420 551.88 DL 430 551.88 425
551.88 DL 435 551.88 430 551.88 DL 440 551.88 435 551.88 DL 445 551.88
440 551.88 DL 450 551.88 445 551.88 DL 455 551.88 450 551.88 DL 460
551.88 455 551.88 DL 465 551.88 460 551.88 DL 470 551.88 465 551.88 DL
475 551.88 470 551.88 DL 480 551.88 475 551.88 DL 485 551.88 480 551.88
DL 490 551.88 485 551.88 DL 495 551.88 490 551.88 DL 500 551.88 495
551.88 DL 505 551.88 500 551.88 DL 510 551.88 505 551.88 DL 515 551.88
510 551.88 DL 520 551.88 515 551.88 DL 525 551.88 520 551.88 DL 530
551.88 525 551.88 DL 535 551.88 530 551.88 DL 540 551.88 535 551.88 DL
F2(Common Misconceptions)360.17 600.48 Q F3 7.3
(The most common misconception is that)341 616.68 R(strncp)316 628.68 Q
1.658(y\(\) NUL-terminates the destination string.)-.1 F(This)6.658 E
1.341(is only true, ho)316 640.68 R(we)-.25 E -.15(ve)-.25 G 2.141 -.4
(r, i).15 H 3.841(fl).4 G 1.341(ength of the source string is)-3.841 F
1.338(less than the size parameter)316 652.68 R 6.339(.T)-.55 G 1.339
(his can be problematic)-6.339 F .12(when cop)316 664.68 R .12
(ying user input that may be of arbitrary length)-.1 F .318
(into a \214x)316 676.68 R .318(ed size b)-.15 F(uf)-.2 E(fer)-.25 E
5.318(.T)-.55 G .318(he safest w)-5.318 F .318(ay to use strncp)-.1 F
(y\(\))-.1 E .201
(in this situation is to pass it one less than the size of the)316
688.68 R 3.271(destination string, and then terminate the string by)316
700.68 R 3.919(hand. That)316 712.68 R -.1(wa)3.919 G 3.919(yy).1 G
1.419(ou are guaranteed to al)-3.919 F -.1(wa)-.1 G 1.419(ys ha).1 F
1.718 -.15(ve a)-.2 H .024(NUL-terminated destination string.)316 724.68
R .024(Strictly speaking, it)5.024 F EP
%%Page: 2 2
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 1.458
(is not necessary to hand-terminate the string if it is a)72 84 R .521
(\231static\232 v)72 96 R .521(ariable or if it w)-.25 F .521
(as allocated via calloc\(\) since)-.1 F 1.286
(such strings are zeroed out when allocated.)72 108 R(Ho)6.285 E(we)-.25
E -.15(ve)-.25 G -.4(r,).15 G 1.406
(relying on this feature is generally confusing to those)72 120 R
(persons who must later maintain the code.)72 132 Q 1.487
(There is also an implicate assumption that con-)97 148.2 R -.15(ve)72
160.2 S .69(rting code from strcp).15 F .69
(y\(\) and strcat\(\) to strncp)-.1 F .69(y\(\) and)-.1 F 3.66
(strncat\(\) causes ne)72 172.2 R 3.66(gligible performance de)-.15 F
(gradation.)-.15 E -.4(Wi)72 184.2 S 1.36
(th this is true of strncat\(\), the same cannot be said).4 F 1.003
(for strncp)72 196.2 R 1.002
(y\(\) since it zero-\214lls the remaining bytes not)-.1 F .139
(used to store the string being copied.)72 208.2 R .139
(This can lead to a)5.139 F .646
(measurable performance hit when the size of the desti-)72 220.2 R 2.453
(nation string is much greater than the length of the)72 232.2 R .052
(source string.)72 244.2 R .051(The e)5.052 F .051
(xact penalty for using strncp)-.15 F .051(y\(\) due)-.1 F .768
(to this beha)72 256.2 R .769(vior v)-.2 F .769
(aries by CPU architecture and imple-)-.25 F(mentation.)72 268.2 Q .152
(The most common mistak)97 284.4 R 2.651(em)-.1 G .151
(ade with strncat\(\) is)-2.651 F .23
(to use an incorrect size parameter)72 296.4 R 5.23(.W)-.55 G .23
(hile strncat\(\) does)-5.23 F 1.273
(guarantee to NUL-terminate the destination, you must)72 308.4 R .766
(not count the space for the NUL in the size parameter)72 320.4 R(.)-.55
E .702(Most importantly)72 332.4 R 3.201(,t)-.65 G .701
(his is not the size of the destination)-3.201 F 1.084
(string itself, rather it is the amount of space a)72 344.4 R -.25(va)
-.2 G(ilable.).25 E .085(As this is almost al)72 356.4 R -.1(wa)-.1 G
.085(ys a v).1 F .085(alue that must be computed,)-.25 F 1.4
(as opposed to a kno)72 368.4 R 1.4(wn constant, it is often computed)
-.25 F(incorrectly)72 380.4 Q(.)-.65 E/F1 12/Times-Bold@0 SF(Ho)72.394
412.8 Q 3(wd)-.12 G 3(os)-3 G(trlcpy\(\) and strlcat\(\) help things?)-3
E F0 2.845(The strlcp)97 429 R 2.845
(y\(\) and strlcat\(\) functions pro)-.1 F 2.845(vide a)-.15 F 1.642
(consistent, unambiguous API to help the programmer)72 441 R .763
(write more b)72 453 R .763(ullet-proof code.)-.2 F .763
(First and foremost, both)5.763 F(strlcp)72 465 Q 1.527
(y\(\) and strlcat\(\) guarantee to NUL-terminate the)-.1 F .646
(destination string for all strings where the gi)72 477 R -.15(ve)-.25 G
3.145(ns).15 G .645(ize is)-3.145 F 2.855(non-zero. Secondly)72 489 R
2.855(,b)-.65 G .355(oth functions tak)-2.855 F 2.855(et)-.1 G .355
(he full size of)-2.855 F .109
(the destination string as a size parameter)72 501 R 5.109(.I)-.55 G
2.609(nm)-5.109 G .108(ost cases)-2.609 F .565(this v)72 513 R .566
(alue is easily computed at compile time using the)-.25 F/F2 10
/Courier@0 SF(sizeof)72 525 Q F0(operator)4.842 E 7.342(.F)-.55 G
(inally)-7.342 E 4.842(,n)-.65 G 2.342(either strlcp)-4.842 F 2.341
(y\(\) nor strl-)-.1 F 2.044
(cat\(\) zero-\214ll their destination strings \(other than the)72 537 R
(compulsatory NUL to terminate the string\).)72 549 Q 2.635(The strlcp)
97 565.2 R 2.635(y\(\) and strlcat\(\) functions return the)-.1 F 1.099
(total length of the string the)72 577.2 R 3.599(yt)-.15 G 1.099
(ried to create.)-3.599 F -.15(Fo)6.099 G 3.599(rs).15 G(trl-)-3.599 E
(cp)72 589.2 Q 1.468
(y\(\) that is simply the length of the source; for strl-)-.1 F 1.825
(cat\(\) that means the length of the destination \(before)72 601.2 R
.745(concatenation\) plus the length of the source.)72 613.2 R 2.345 -.8
(To c)5.745 H(heck).8 E .004(for truncation, the programmer need only v)
72 625.2 R .004(erify that the)-.15 F 1.835(return v)72 637.2 R 1.835
(alue is less than the size parameter)-.25 F 6.834(.T)-.55 G 1.834
(hus, if)-6.834 F .541
(truncation has occurred, the number of bytes needed to)72 649.2 R 1.09
(store the entire string is no)72 661.2 R 3.59(wk)-.25 G(no)-3.59 E 1.09
(wn and the program-)-.25 F .554(mer may allocate more space and re-cop)
72 673.2 R 3.055(yt)-.1 G .555(he strings if)-3.055 F .817
(he or she wishes.)72 685.2 R .817(The return v)5.817 F .816
(alue has similar seman-)-.25 F .876(tics to the return v)72 697.2 R
.877(alue of snprintf\(\) as implemented in)-.25 F .85
(BSD and as speci\214ed by the upcoming C9X speci\214ca-)72 709.2 R
2.359(tion [4] \(note that not all snprintf\(\) implementations)72 721.2
R .102(currently comply with C9X\).)316 84 R .101
(If no truncation occurred,)5.101 F 2.41(the programmer no)316 96 R 4.91
(wh)-.25 G 2.41(as the length of the resulting)-4.91 F 4.458
(string. This)316 108 R 1.958(is useful since it is common practice to)
4.458 F -.2(bu)316 120 S 1.437(ild a string with strncp).2 F 1.438
(y\(\) and strncat\(\) and then to)-.1 F 1.632
(\214nd the length of the result using strlen\(\).)316 132 R -.4(Wi)
6.632 G 1.632(th strl-).4 F(cp)316 144 Q .924
(y\(\) and strlcat\(\) the \214nal strlen\(\) is no longer neces-)-.1 F
(sary)316 156 Q(.)-.65 E 1.338
(Example 1a is a code fragment with a potential)341 172.2 R -.2(bu)316
184.2 S -.25(ff).2 G 2.708(er o).25 F -.15(ve)-.15 G(r\215o).15 E 5.208
(w\()-.25 G 2.708(the HOME en)-5.208 F 2.709(vironment v)-.4 F 2.709
(ariable is)-.25 F
(controlled by the user and can be of arbitrary length\).)316 196.2 Q .4
LW 321 212.4 316 212.4 DL 325 212.4 320 212.4 DL 330 212.4 325 212.4 DL
335 212.4 330 212.4 DL 340 212.4 335 212.4 DL 345 212.4 340 212.4 DL 350
212.4 345 212.4 DL 355 212.4 350 212.4 DL 360 212.4 355 212.4 DL 365
212.4 360 212.4 DL 370 212.4 365 212.4 DL 375 212.4 370 212.4 DL 380
212.4 375 212.4 DL 385 212.4 380 212.4 DL 390 212.4 385 212.4 DL 395
212.4 390 212.4 DL 400 212.4 395 212.4 DL 405 212.4 400 212.4 DL 410
212.4 405 212.4 DL 415 212.4 410 212.4 DL 420 212.4 415 212.4 DL 425
212.4 420 212.4 DL 430 212.4 425 212.4 DL 435 212.4 430 212.4 DL 440
212.4 435 212.4 DL 445 212.4 440 212.4 DL 450 212.4 445 212.4 DL 455
212.4 450 212.4 DL 460 212.4 455 212.4 DL 465 212.4 460 212.4 DL 470
212.4 465 212.4 DL 475 212.4 470 212.4 DL 480 212.4 475 212.4 DL 485
212.4 480 212.4 DL 490 212.4 485 212.4 DL 495 212.4 490 212.4 DL 500
212.4 495 212.4 DL 505 212.4 500 212.4 DL 510 212.4 505 212.4 DL 515
212.4 510 212.4 DL 520 212.4 515 212.4 DL 525 212.4 520 212.4 DL 530
212.4 525 212.4 DL 535 212.4 530 212.4 DL 540 212.4 535 212.4 DL F2
(strcpy\(path, homedir\);)316 236.4 Q(strcat\(path, "/"\);)316 248.4 Q
(strcat\(path, ".foorc"\);)316 260.4 Q(len = strlen\(path\);)316 272.4 Q
/F3 10/Times-Bold@0 SF(Example 1a:)316 296.4 Q F0
(Code fragment using strcp)2.5 E(y\(\) and strcat\(\))-.1 E 321 308.4
316 308.4 DL 325 308.4 320 308.4 DL 330 308.4 325 308.4 DL 335 308.4 330
308.4 DL 340 308.4 335 308.4 DL 345 308.4 340 308.4 DL 350 308.4 345
308.4 DL 355 308.4 350 308.4 DL 360 308.4 355 308.4 DL 365 308.4 360
308.4 DL 370 308.4 365 308.4 DL 375 308.4 370 308.4 DL 380 308.4 375
308.4 DL 385 308.4 380 308.4 DL 390 308.4 385 308.4 DL 395 308.4 390
308.4 DL 400 308.4 395 308.4 DL 405 308.4 400 308.4 DL 410 308.4 405
308.4 DL 415 308.4 410 308.4 DL 420 308.4 415 308.4 DL 425 308.4 420
308.4 DL 430 308.4 425 308.4 DL 435 308.4 430 308.4 DL 440 308.4 435
308.4 DL 445 308.4 440 308.4 DL 450 308.4 445 308.4 DL 455 308.4 450
308.4 DL 460 308.4 455 308.4 DL 465 308.4 460 308.4 DL 470 308.4 465
308.4 DL 475 308.4 470 308.4 DL 480 308.4 475 308.4 DL 485 308.4 480
308.4 DL 490 308.4 485 308.4 DL 495 308.4 490 308.4 DL 500 308.4 495
308.4 DL 505 308.4 500 308.4 DL 510 308.4 505 308.4 DL 515 308.4 510
308.4 DL 520 308.4 515 308.4 DL 525 308.4 520 308.4 DL 530 308.4 525
308.4 DL 535 308.4 530 308.4 DL 540 308.4 535 308.4 DL 1.546
(Example 1b is the same fragment con)316 336.6 R -.15(ve)-.4 G 1.546
(rted to safely).15 F .716(use strncp)316 348.6 R .717
(y\(\) and strncat\(\) \(note that we ha)-.1 F 1.017 -.15(ve t)-.2 H
3.217(ot).15 G(ermi-)-3.217 E(nate the destination by hand\).)316 360.6
Q 321 376.8 316 376.8 DL 325 376.8 320 376.8 DL 330 376.8 325 376.8 DL
335 376.8 330 376.8 DL 340 376.8 335 376.8 DL 345 376.8 340 376.8 DL 350
376.8 345 376.8 DL 355 376.8 350 376.8 DL 360 376.8 355 376.8 DL 365
376.8 360 376.8 DL 370 376.8 365 376.8 DL 375 376.8 370 376.8 DL 380
376.8 375 376.8 DL 385 376.8 380 376.8 DL 390 376.8 385 376.8 DL 395
376.8 390 376.8 DL 400 376.8 395 376.8 DL 405 376.8 400 376.8 DL 410
376.8 405 376.8 DL 415 376.8 410 376.8 DL 420 376.8 415 376.8 DL 425
376.8 420 376.8 DL 430 376.8 425 376.8 DL 435 376.8 430 376.8 DL 440
376.8 435 376.8 DL 445 376.8 440 376.8 DL 450 376.8 445 376.8 DL 455
376.8 450 376.8 DL 460 376.8 455 376.8 DL 465 376.8 460 376.8 DL 470
376.8 465 376.8 DL 475 376.8 470 376.8 DL 480 376.8 475 376.8 DL 485
376.8 480 376.8 DL 490 376.8 485 376.8 DL 495 376.8 490 376.8 DL 500
376.8 495 376.8 DL 505 376.8 500 376.8 DL 510 376.8 505 376.8 DL 515
376.8 510 376.8 DL 520 376.8 515 376.8 DL 525 376.8 520 376.8 DL 530
376.8 525 376.8 DL 535 376.8 530 376.8 DL 540 376.8 535 376.8 DL F2
(strncpy\(path, homedir,)316 400.8 Q(sizeof\(path\) - 1\);)340 412.8 Q
(path[sizeof\(path\) - 1] = '\\0';)316 424.8 Q(strncat\(path, "/",)316
436.8 Q(sizeof\(path\) - strlen\(path\) - 1\);)340 448.8 Q
(strncat\(path, ".foorc",)316 460.8 Q
(sizeof\(path\) - strlen\(path\) - 1\);)340 472.8 Q
(len = strlen\(path\);)316 484.8 Q F3(Example 1b:)316 508.8 Q F0(Con)2.5
E -.15(ve)-.4 G(rted to strncp).15 E(y\(\) and strncat\(\))-.1 E 321
520.8 316 520.8 DL 325 520.8 320 520.8 DL 330 520.8 325 520.8 DL 335
520.8 330 520.8 DL 340 520.8 335 520.8 DL 345 520.8 340 520.8 DL 350
520.8 345 520.8 DL 355 520.8 350 520.8 DL 360 520.8 355 520.8 DL 365
520.8 360 520.8 DL 370 520.8 365 520.8 DL 375 520.8 370 520.8 DL 380
520.8 375 520.8 DL 385 520.8 380 520.8 DL 390 520.8 385 520.8 DL 395
520.8 390 520.8 DL 400 520.8 395 520.8 DL 405 520.8 400 520.8 DL 410
520.8 405 520.8 DL 415 520.8 410 520.8 DL 420 520.8 415 520.8 DL 425
520.8 420 520.8 DL 430 520.8 425 520.8 DL 435 520.8 430 520.8 DL 440
520.8 435 520.8 DL 445 520.8 440 520.8 DL 450 520.8 445 520.8 DL 455
520.8 450 520.8 DL 460 520.8 455 520.8 DL 465 520.8 460 520.8 DL 470
520.8 465 520.8 DL 475 520.8 470 520.8 DL 480 520.8 475 520.8 DL 485
520.8 480 520.8 DL 490 520.8 485 520.8 DL 495 520.8 490 520.8 DL 500
520.8 495 520.8 DL 505 520.8 500 520.8 DL 510 520.8 505 520.8 DL 515
520.8 510 520.8 DL 520 520.8 515 520.8 DL 525 520.8 520 520.8 DL 530
520.8 525 520.8 DL 535 520.8 530 520.8 DL 540 520.8 535 520.8 DL 1.033
(Example 1c is a tri)316 549 R 1.032(vial con)-.25 F -.15(ve)-.4 G 1.032
(rsion to the strlcp).15 F(y\(\)/strl-)-.1 E 1.374(cat\(\) API.)316 561
R 1.374(It has the adv)6.374 F 1.374(antage of being as simple as)-.25 F
.845(Example 1a, b)316 573 R .845(ut it does not tak)-.2 F 3.345(ea)-.1
G(dv)-3.345 E .845(antage of the ne)-.25 F(w)-.25 E(API')316 585 Q 2.5
(sr)-.55 G(eturn v)-2.5 E(alue.)-.25 E 321 601.2 316 601.2 DL 325 601.2
320 601.2 DL 330 601.2 325 601.2 DL 335 601.2 330 601.2 DL 340 601.2 335
601.2 DL 345 601.2 340 601.2 DL 350 601.2 345 601.2 DL 355 601.2 350
601.2 DL 360 601.2 355 601.2 DL 365 601.2 360 601.2 DL 370 601.2 365
601.2 DL 375 601.2 370 601.2 DL 380 601.2 375 601.2 DL 385 601.2 380
601.2 DL 390 601.2 385 601.2 DL 395 601.2 390 601.2 DL 400 601.2 395
601.2 DL 405 601.2 400 601.2 DL 410 601.2 405 601.2 DL 415 601.2 410
601.2 DL 420 601.2 415 601.2 DL 425 601.2 420 601.2 DL 430 601.2 425
601.2 DL 435 601.2 430 601.2 DL 440 601.2 435 601.2 DL 445 601.2 440
601.2 DL 450 601.2 445 601.2 DL 455 601.2 450 601.2 DL 460 601.2 455
601.2 DL 465 601.2 460 601.2 DL 470 601.2 465 601.2 DL 475 601.2 470
601.2 DL 480 601.2 475 601.2 DL 485 601.2 480 601.2 DL 490 601.2 485
601.2 DL 495 601.2 490 601.2 DL 500 601.2 495 601.2 DL 505 601.2 500
601.2 DL 510 601.2 505 601.2 DL 515 601.2 510 601.2 DL 520 601.2 515
601.2 DL 525 601.2 520 601.2 DL 530 601.2 525 601.2 DL 535 601.2 530
601.2 DL 540 601.2 535 601.2 DL F2
(strlcpy\(path, homedir, sizeof\(path\)\);)316 625.2 Q
(strlcat\(path, "/", sizeof\(path\)\);)316 637.2 Q
(strlcat\(path, ".foorc", sizeof\(path\)\);)316 649.2 Q
(len = strlen\(path\);)316 661.2 Q F3(Example 1c:)316 685.2 Q F0 -.35
(Tr)2.5 G -.25(iv).35 G(ial con).25 E -.15(ve)-.4 G(rsion to strlcp).15
E(y\(\)/strlcat\(\))-.1 E 321 697.2 316 697.2 DL 325 697.2 320 697.2 DL
330 697.2 325 697.2 DL 335 697.2 330 697.2 DL 340 697.2 335 697.2 DL 345
697.2 340 697.2 DL 350 697.2 345 697.2 DL 355 697.2 350 697.2 DL 360
697.2 355 697.2 DL 365 697.2 360 697.2 DL 370 697.2 365 697.2 DL 375
697.2 370 697.2 DL 380 697.2 375 697.2 DL 385 697.2 380 697.2 DL 390
697.2 385 697.2 DL 395 697.2 390 697.2 DL 400 697.2 395 697.2 DL 405
697.2 400 697.2 DL 410 697.2 405 697.2 DL 415 697.2 410 697.2 DL 420
697.2 415 697.2 DL 425 697.2 420 697.2 DL 430 697.2 425 697.2 DL 435
697.2 430 697.2 DL 440 697.2 435 697.2 DL 445 697.2 440 697.2 DL 450
697.2 445 697.2 DL 455 697.2 450 697.2 DL 460 697.2 455 697.2 DL 465
697.2 460 697.2 DL 470 697.2 465 697.2 DL 475 697.2 470 697.2 DL 480
697.2 475 697.2 DL 485 697.2 480 697.2 DL 490 697.2 485 697.2 DL 495
697.2 490 697.2 DL 500 697.2 495 697.2 DL 505 697.2 500 697.2 DL 510
697.2 505 697.2 DL 515 697.2 510 697.2 DL 520 697.2 515 697.2 DL 525
697.2 520 697.2 DL 530 697.2 525 697.2 DL 535 697.2 530 697.2 DL 540
697.2 535 697.2 DL .154
(Since Example 1c is so easy to read and comprehend, it)316 725.4 R EP
%%Page: 3 3
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF .151(is simple to add additional checks to it.)
72 84 R .151(In Example 1d,)5.151 F 3.063(we check the return v)72 96 R
3.063(alue to mak)-.25 F 5.564(es)-.1 G 3.064(ure there w)-5.564 F(as)
-.1 E .055(enough space for the source string.)72 108 R .055(If there w)
5.055 F .055(as not, we)-.1 F .005(return an error)72 120 R 5.005(.T)
-.55 G .006(his is slightly more complicated b)-5.005 F .006(ut in)-.2 F
1.499(addition to being more rob)72 132 R 1.499(ust, it also a)-.2 F -.2
(vo)-.2 G 1.499(ids the \214nal).2 F(strlen\(\) call.)72 144 Q .4 LW 77
160.2 72 160.2 DL 81 160.2 76 160.2 DL 86 160.2 81 160.2 DL 91 160.2 86
160.2 DL 96 160.2 91 160.2 DL 101 160.2 96 160.2 DL 106 160.2 101 160.2
DL 111 160.2 106 160.2 DL 116 160.2 111 160.2 DL 121 160.2 116 160.2 DL
126 160.2 121 160.2 DL 131 160.2 126 160.2 DL 136 160.2 131 160.2 DL 141
160.2 136 160.2 DL 146 160.2 141 160.2 DL 151 160.2 146 160.2 DL 156
160.2 151 160.2 DL 161 160.2 156 160.2 DL 166 160.2 161 160.2 DL 171
160.2 166 160.2 DL 176 160.2 171 160.2 DL 181 160.2 176 160.2 DL 186
160.2 181 160.2 DL 191 160.2 186 160.2 DL 196 160.2 191 160.2 DL 201
160.2 196 160.2 DL 206 160.2 201 160.2 DL 211 160.2 206 160.2 DL 216
160.2 211 160.2 DL 221 160.2 216 160.2 DL 226 160.2 221 160.2 DL 231
160.2 226 160.2 DL 236 160.2 231 160.2 DL 241 160.2 236 160.2 DL 246
160.2 241 160.2 DL 251 160.2 246 160.2 DL 256 160.2 251 160.2 DL 261
160.2 256 160.2 DL 266 160.2 261 160.2 DL 271 160.2 266 160.2 DL 276
160.2 271 160.2 DL 281 160.2 276 160.2 DL 286 160.2 281 160.2 DL 291
160.2 286 160.2 DL 296 160.2 291 160.2 DL/F1 10/Courier@0 SF
(len = strlcpy\(path, homedir,)72 184.2 Q(sizeof\(path\);)96 196.2 Q
(if \(len >= sizeof\(path\)\))72 208.2 Q(return \(ENAMETOOLONG\);)108
220.2 Q(len = strlcat\(path, "/",)72 232.2 Q(sizeof\(path\);)96 244.2 Q
(if \(len >= sizeof\(path\)\))72 256.2 Q(return \(ENAMETOOLONG\);)108
268.2 Q(len = strlcat\(path, ".foorc",)72 280.2 Q(sizeof\(path\)\);)96
292.2 Q(if \(len >= sizeof\(path\)\))72 304.2 Q
(return \(ENAMETOOLONG\);)108 316.2 Q/F2 10/Times-Bold@0 SF(Example 1d:)
72 340.2 Q F0(No)2.5 E 2.5(ww)-.25 G(ith a check for truncation)-2.5 E
77 352.2 72 352.2 DL 81 352.2 76 352.2 DL 86 352.2 81 352.2 DL 91 352.2
86 352.2 DL 96 352.2 91 352.2 DL 101 352.2 96 352.2 DL 106 352.2 101
352.2 DL 111 352.2 106 352.2 DL 116 352.2 111 352.2 DL 121 352.2 116
352.2 DL 126 352.2 121 352.2 DL 131 352.2 126 352.2 DL 136 352.2 131
352.2 DL 141 352.2 136 352.2 DL 146 352.2 141 352.2 DL 151 352.2 146
352.2 DL 156 352.2 151 352.2 DL 161 352.2 156 352.2 DL 166 352.2 161
352.2 DL 171 352.2 166 352.2 DL 176 352.2 171 352.2 DL 181 352.2 176
352.2 DL 186 352.2 181 352.2 DL 191 352.2 186 352.2 DL 196 352.2 191
352.2 DL 201 352.2 196 352.2 DL 206 352.2 201 352.2 DL 211 352.2 206
352.2 DL 216 352.2 211 352.2 DL 221 352.2 216 352.2 DL 226 352.2 221
352.2 DL 231 352.2 226 352.2 DL 236 352.2 231 352.2 DL 241 352.2 236
352.2 DL 246 352.2 241 352.2 DL 251 352.2 246 352.2 DL 256 352.2 251
352.2 DL 261 352.2 256 352.2 DL 266 352.2 261 352.2 DL 271 352.2 266
352.2 DL 276 352.2 271 352.2 DL 281 352.2 276 352.2 DL 286 352.2 281
352.2 DL 291 352.2 286 352.2 DL 296 352.2 291 352.2 DL/F3 12
/Times-Bold@0 SF(Design decisions)139.162 400.8 Q F0 3.218(Ag)72 412.8 S
.718(reat deal of thought \(and a fe)-3.218 F 3.218(ws)-.25 G .718
(trong w)-3.218 F .718(ords\) went)-.1 F 1.488
(into deciding just what the semantics of strlcp)72 424.8 R 1.487
(y\(\) and)-.1 F .76(strlcat\(\) w)72 436.8 R .76(ould be.)-.1 F .76
(The original idea w)5.76 F .76(as to mak)-.1 F 3.26(es)-.1 G(trl-)-3.26
E(cp)72 448.8 Q 1.997(y\(\) and strlcat\(\) identical to strncp)-.1 F
1.997(y\(\) and strncat\(\))-.1 F .701(with the e)72 460.8 R .701
(xception that the)-.15 F 3.202(yw)-.15 G .702(ould al)-3.302 F -.1(wa)
-.1 G .702(ys NUL-termi-).1 F 1.202(nate the destination string.)72
472.8 R(Ho)6.201 E(we)-.25 E -.15(ve)-.25 G 2.001 -.4(r, l).15 H 1.201
(ooking back on).4 F .416
(the common use \(and misuse\) of strncat\(\) con)72 484.8 R .417
(vinced us)-.4 F 1.53
(that the size parameter for strlcat\(\) should be the full)72 496.8 R
.682(size of the string and not just the number of characters)72 508.8 R
1.857(left unallocated.)72 520.8 R 1.856(The return v)6.857 F 1.856
(alues started out as the)-.25 F 1.695
(number of characters copied, since this w)72 532.8 R 1.695(as tri)-.1 F
1.695(vial to)-.25 F 1.355(get as a side ef)72 544.8 R 1.355
(fect of the cop)-.25 F 3.855(yo)-.1 G 3.855(rc)-3.855 G 3.855
(oncatenation. W)-3.855 F(e)-.8 E .816(soon decided that a return v)72
556.8 R .817(alue with the same seman-)-.25 F .454
(tics as snprintf\(\)')72 568.8 R 2.954(sw)-.55 G .454
(as a better choice since it gi)-3.054 F -.15(ve)-.25 G 2.954(st).15 G
(he)-2.954 E .635(programmer the most \215e)72 580.8 R .636
(xibility with respect to trunca-)-.15 F(tion detection and reco)72
592.8 Q -.15(ve)-.15 G(ry).15 E(.)-.65 E F3 -.24(Pe)147.952 611.4 S(rf)
.24 E(ormance)-.3 E F0 1.312(Programmers are starting to a)97 627.6 R
-.2(vo)-.2 G 1.311(id strncp).2 F 1.311(y\(\) due)-.1 F 1.279
(its poor performance when the tar)72 639.6 R 1.279(get b)-.18 F(uf)-.2
E 1.279(fer is signi\214-)-.25 F 1.257(cantly lar)72 651.6 R 1.257
(ger than the length of the source string.)-.18 F -.15(Fo)6.256 G(r).15
E 5.183(instance, the apache group [6] replaced calls to)72 663.6 R
(strncp)72 675.6 Q .128
(y\(\) with an internal function and noticed a perfor)-.1 F(-)-.2 E .384
(mance impro)72 687.6 R -.15(ve)-.15 G .384(ment [7].).15 F .384
(Also, the ncurses [8] package)5.384 F 1.162(recently remo)72 699.6 R
-.15(ve)-.15 G 3.662(da).15 G 3.662(no)-3.662 G 1.162
(ccurrence of strncp)-3.662 F 1.161(y\(\), resulting)-.1 F 1.324(in a f)
72 711.6 R 1.324(actor of four speedup of the)-.1 F/F4 10/Times-Italic@0
SF(tic)3.824 E F0(utility)3.824 E 6.324(.I)-.65 G 3.825(ti)-6.324 G
3.825(so)-3.825 G(ur)-3.825 E .356
(hope that, in the future, more programmers will use the)72 723.6 R
(interf)316 84 Q .828(ace pro)-.1 F .828(vided by strlcp)-.15 F .829
(y\(\) rather than using a cus-)-.1 F(tom interf)316 96 Q(ace.)-.1 E
2.306 -.8(To g)341 112.2 T .706(et a feel for the w).8 F .705
(orst-case scenario in com-)-.1 F 1.886(paring strncp)316 124.2 R 1.886
(y\(\) and strlcp)-.1 F 1.886(y\(\), we ran a test program)-.1 F .085
(that copies the string \231this is just a test\232 1000 times into)316
136.2 R 7.2(a1)316 148.2 S 4.7(024 byte b)-7.2 F(uf)-.2 E(fer)-.25 E 9.7
(.T)-.55 G 4.7(his is some)-9.7 F 4.7(what unf)-.25 F 4.7(air to)-.1 F
(strncp)316 160.2 Q 2.578
(y\(\), since by using a small string and a lar)-.1 F(ge)-.18 E -.2(bu)
316 172.2 S -.25(ff).2 G .448(er strncp).25 F .448
(y\(\) has to \214ll most of the b)-.1 F(uf)-.2 E .448(fer with NUL)-.25
F 3.037(characters. In)316 184.2 R .537(practice, ho)3.037 F(we)-.25 E
-.15(ve)-.25 G 1.337 -.4(r, i).15 H 3.037(ti).4 G 3.037(sc)-3.037 G .536
(ommon to use a)-3.037 F -.2(bu)316 196.2 S -.25(ff).2 G .66
(er that is much lar).25 F .66(ger than the e)-.18 F .66
(xpected user input.)-.15 F -.15(Fo)316 208.2 S 5.836(ri).15 G 3.336
(nstance, pathname b)-5.836 F(uf)-.2 E 3.336(fers are MAXP)-.25 F -1.11
(AT)-.92 G(HLEN)1.11 E .918(long \(1024 bytes\), b)316 220.2 R .919
(ut most \214lenames are signi\214cantly)-.2 F 1.843(shorter than that.)
316 232.2 R 1.842(The a)6.842 F -.15(ve)-.2 G 1.842
(rages run times in T).15 F 1.842(able 1)-.8 F 3.553
(were generated on an HP9000/425t with a 25Mhz)316 244.2 R 1.578
(68040 CPU running OpenBSD 2.5 and a DEC AXP-)316 256.2 R 4.58
(PCI166 with a 166Mhz alpha CPU also running)316 268.2 R .529
(OpenBSD 2.5.)316 280.2 R .529(In all cases, the same C v)5.529 F .529
(ersions of the)-.15 F .128
(functions were used and the times are the \231real time\232 as)316
292.2 R(reported by the)316 304.2 Q F4(time)2.5 E F0(utility)2.5 E(.)
-.65 E 434.61 317.1 316 317.1 DL 20.84(cpu function)321 326.6 R(time)15
E 434.61 331.1 316 331.1 DL 12.5(m68k strcp)321 340.6 R 23.99(y0)-.1 G
(.137)-23.99 E 12.5(m68k strncp)321 352.6 R 18.99(y0)-.1 G(.464)-18.99 E
12.5(m68k strlcp)321 364.6 R 21.21(y0)-.1 G(.14)-21.21 E 13.62
(alpha strcp)321 376.6 R 23.99(y0)-.1 G(.018)-23.99 E 13.62
(alpha strncp)321 388.6 R 18.99(y0)-.1 G(.10)-18.99 E 13.62
(alpha strlcp)321 400.6 R 21.21(y0)-.1 G(.02)-21.21 E 434.61 405.1 316
405.1 DL 434.61 317.1 434.61 405.1 DL 316 317.1 316 405.1 DL F2 -.92(Ta)
316 416.8 S(ble 1).92 E F0 2.5(:P)C(erformance timings in seconds)-2.5 E
.45(As can be seen in T)316 433 R .45(able 1, the timings for strncp)-.8
F .45(y\(\) are)-.1 F -.1(fa)316 445 S 3.395(rw).1 G .895
(orse than those for strcp)-3.495 F .896(y\(\) and strlcp)-.1 F 3.396
(y\(\). This)-.1 F(is)3.396 E .866
(probably due not only to the cost of NUL padding b)316 457 R(ut)-.2 E
.935(also because the CPU')316 469 R 3.435(sd)-.55 G .935
(ata cache is ef)-3.435 F(fecti)-.25 E -.15(ve)-.25 G .935(ly being).15
F(\215ushed by the long stream of zeroes.)316 481 Q F3
(What strlcpy\(\) and strlcat\(\) ar)334.958 513.4 Q 3(en)-.216 G(ot)-3
E F0 1.989(While strlcp)341 529.6 R 1.988
(y\(\) and strlcat\(\) are well-suited for)-.1 F 3.346
(dealing with \214x)316 541.6 R 3.347(ed-size b)-.15 F(uf)-.2 E 3.347
(fers, the)-.25 F 5.847(yc)-.15 G 3.347(annot replace)-5.847 F(strncp)
316 553.6 Q .184(y\(\) and strncat\(\) in all cases.)-.1 F .183
(There are still times)5.183 F .654
(where it is necessary to manipulate b)316 565.6 R(uf)-.2 E .655
(fers that are not)-.25 F 3.744(true C strings \(the strings in)316
577.6 R F1 3.743(struct utmp)6.244 F F0(for)6.243 E 2.872
(instance\). Ho)316 589.6 R(we)-.25 E -.15(ve)-.25 G 1.173 -.4(r, w).15
H 2.873(ew).4 G .373(ould ar)-2.973 F .373(gue that such \231pseudo)-.18
F .777(strings\232 should not be used in ne)316 601.6 R 3.277(wc)-.25 G
.777(ode since the)-3.277 F 3.277(ya)-.15 G(re)-3.277 E 2.815
(prone to misuse, and in our e)316 613.6 R 2.815(xperience, a common)
-.15 F .633(source of b)316 625.6 R 3.133(ugs. Additionally)-.2 F 3.133
(,t)-.65 G .633(he strlcp)-3.133 F .633(y\(\) and strlcat\(\))-.1 F .786
(functions are not an attempt to \231\214x\232 string handling in)316
637.6 R .195(C, the)316 649.6 R 2.695(ya)-.15 G .194
(re designed to \214t within the normal frame)-2.695 F -.1(wo)-.25 G(rk)
.1 E 1.403(of C strings.)316 661.6 R 1.403
(If you require string functions that sup-)6.403 F 1.167
(port dynamically allocated, arbitrary sized b)316 673.6 R(uf)-.2 E
1.166(fers you)-.25 F 1.287(may wish to e)316 685.6 R 1.288
(xamine the \231astring\232 package from mib)-.15 F(softw)316 697.6 Q
(are [9].)-.1 E EP
%%Page: 4 4
%%BeginPageSetup
BP
%%EndPageSetup
/F0 12/Times-Bold@0 SF(Who uses strlcpy\(\) and strlcat\(\)?)97.342 86.4
Q/F1 10/Times-Roman@0 SF .044(The strlcp)97 102.6 R .043
(y\(\) and strlcat\(\) functions \214rst appeared)-.1 F 2.927
(in OpenBSD 2.4.)72 114.6 R 2.927(The functions ha)7.927 F 3.227 -.15
(ve a)-.2 H 2.928(lso recently).15 F 3.27(been appro)72 126.6 R -.15(ve)
-.15 G 5.77(df).15 G 3.27(or inclusion in a future v)-5.77 F 3.27
(ersion of)-.15 F 4.465(Solaris. Third-party)72 138.6 R 1.966
(packages are starting to pick up)4.465 F 1.701(the API as well.)72
150.6 R -.15(Fo)6.701 G 4.201(ri).15 G 1.701
(nstance, the rsync [5] package)-4.201 F(no)72 162.6 Q 3.695(wu)-.25 G
1.195(ses strlcp)-3.695 F 1.195(y\(\) and pro)-.1 F 1.196(vides its o)
-.15 F 1.196(wn v)-.25 F 1.196(ersion if the)-.15 F .239
(OS does not support it.)72 174.6 R .239
(It is our hope that other operat-)5.239 F .445
(ing systems and applications will use strlcp)72 186.6 R .445
(y\(\) and strl-)-.1 F 2.222
(cat\(\) in the future, and that it will recei)72 198.6 R 2.522 -.15
(ve s)-.25 H(tandards).15 E(acceptance at some time.)72 210.6 Q F0
(What')146.062 243 Q 3(sN)-.444 G(ext?)-3 E F1 2.747 -.8(We p)97 259.2 T
1.147(lan to replace occurrences of strncp).8 F 1.148(y\(\) and)-.1 F
.395(strncat\(\) with strlcp)72 271.2 R .394
(y\(\) and strlcat\(\) in OpenBSD where)-.1 F .462
(it is sensible to do so.)72 283.2 R .463(While ne)5.463 F 2.963(wc)-.25
G .463(ode in OpenBSD is)-2.963 F 1.062(being written to use the ne)72
295.2 R 3.562(wA)-.25 G 1.062(PI, there is still a lar)-3.562 F(ge)-.18
E .379(amount of code that w)72 307.2 R .379(as con)-.1 F -.15(ve)-.4 G
.379(rted to use strncp).15 F .379(y\(\) and)-.1 F .303
(strncat\(\) during our original security audit.)72 319.2 R 1.902 -.8
(To t)5.302 H .302(his day).8 F(,)-.65 E .721(we continue to disco)72
331.2 R -.15(ve)-.15 G 3.221(rb).15 G .721
(ugs due to incorrect usage of)-3.421 F(strncp)72 343.2 Q .256
(y\(\) and strncat\(\) in e)-.1 F .256(xisting code.)-.15 F .255
(Updating older)5.255 F .446(code to use strlcp)72 355.2 R .447
(y\(\) and strlcat\(\) should serv)-.1 F 2.947(et)-.15 G 2.947(os)-2.947
G(peed)-2.947 E(up some programs and unco)72 367.2 Q -.15(ve)-.15 G 2.5
(rb).15 G(ugs in others.)-2.7 E F0 -.72 -1.2(Av a)151.654 399.6 T
(ilability)1.2 E F1 3.332(The source code for strlcp)97 415.8 R 3.331
(y\(\) and strlcat\(\) is)-.1 F -.2(av)72 427.8 S .865
(ailable free of char)-.05 F .865(ge and under a BSD-style license)-.18
F 1.821(as part of the OpenBSD operating system.)72 439.8 R -1.1(Yo)
6.821 G 4.321(um)1.1 G(ay)-4.321 E .05(also do)72 451.8 R .05
(wnload the code and its associated manual pages)-.25 F 1.695(via anon)
72 463.8 R 1.694(ymous ftp from ftp.openbsd.or)-.15 F 4.194(gi)-.18 G
4.194(nt)-4.194 G 1.694(he direc-)-4.194 F 6.983
(tory /pub/OpenBSD/src/lib/libc/string.)72 475.8 R 6.984(The source)
11.983 F 1.47(code for strlcp)72 487.8 R 1.47
(y\(\) and strlcat\(\) is in strlcp)-.1 F -.65(y.)-.1 G 3.97(ca).65 G
1.47(nd strl-)-3.97 F 5.303(cat.c. The)72 499.8 R 2.803
(documentation \(which uses the tmac.doc)5.303 F(trof)72 511.8 Q 2.5(fm)
-.25 G(acros\) may be found in strlcp)-2.5 E -.65(y.)-.1 G(3.).65 E F0
-.6(Au)129.952 544.2 S(thor Inf).6 E(ormation)-.3 E F1 -.8(To)97 560.4 S
.188(dd C. Miller has been in).8 F -.2(vo)-.4 G(lv).2 E .188
(ed in the free soft-)-.15 F -.1(wa)72 572.4 S .207
(re community since 1993 when he took o).1 F -.15(ve)-.15 G 2.708(rm).15
G(ainte-)-2.708 E 1.687(nance of the sudo package.)72 584.4 R 1.686
(He joined the OpenBSD)6.686 F .844(project in 1996 as an acti)72 596.4
R 1.144 -.15(ve d)-.25 H -2.15 -.25(ev e).15 H(loper).25 E 5.844(.T)-.55
G .844(odd belatedly)-6.644 F(recei)72 608.4 Q -.15(ve)-.25 G 3.949(daB)
.15 G 3.949(Si)-3.949 G 3.949(nC)-3.949 G 1.449
(omputer Science in 1997 from the)-3.949 F(Uni)72 620.4 Q -.15(ve)-.25 G
1.667(rsity of Colorado, Boulder \(after years of prod-).15 F 3.187
(ding\). T)72 632.4 R .687(odd has so f)-.8 F .687(ar managed to a)-.1 F
-.2(vo)-.2 G .686(id the corporate).2 F -.1(wo)72 644.4 S .881
(rld and currently w).1 F .882(orks as a Systems Administrator)-.1 F
5.04(at the Uni)72 656.4 R -.15(ve)-.25 G 5.04
(rsity of Colorado, Boulder blissfully).15 F .995
(ensconced in academia.)72 668.4 R .995(He may be reached via email)
5.995 F(at <T)72 680.4 Q(odd.Miller@cs.colorado.edu>.)-.8 E .738
(Theo de Raadt has been in)97 696.6 R -.2(vo)-.4 G(lv).2 E .737
(ed with free Unix)-.15 F 3.94(operating systems since 1990.)72 708.6 R
3.94(Early de)8.94 F -.15(ve)-.25 G(lopments).15 E 1.098
(included porting Minix to the sun3/50 and amig)72 720.6 R 1.097(a, and)
-.05 F .984(PDP-11 BSD 2.9 to a 68030 computer)316 84 R 5.984(.A)-.55 G
3.484(so)-5.984 G .984(ne of the)-3.484 F .079
(founders of the NetBSD project, Theo w)316 96 R(ork)-.1 E .078
(ed on main-)-.1 F 5.916(taining and impro)316 108 R 5.916(ving man)-.15
F 8.416(ys)-.15 G 5.916(ystem components)-8.416 F .851
(including the sparc port and a free YP implementation)316 120 R .564
(that is no)316 132 R 3.064(wi)-.25 G 3.064(nu)-3.064 G .565
(se by most free systems.)-3.064 F .565(In 1995 Theo)5.565 F 1.849
(created the OpenBSD project, which places focus on)316 144 R(security)
316 156 Q 2.946(,i)-.65 G(nte)-2.946 E .446(grated cryptograph)-.15 F
1.746 -.65(y, a)-.05 H .446(nd code correctness.).65 F .2(Theo w)316 168
R .2(orks full time on adv)-.1 F .2(ancing OpenBSD.)-.25 F .2(He may)5.2
F(be reached via email at <deraadt@openbsd.or)316 180 Q(g>.)-.18 E F0
(Refer)397.124 212.4 Q(ences)-.216 E F1 10.84([1] Aleph)316 228.6 R
3.531(One. \231Smashing)3.531 F 1.031(The Stack F)3.531 F 1.032
(or Fun And)-.15 F(Pro\214t.)341 240.6 Q<9a>-.7 E/F2 10/Times-Italic@0
SF(Phr)7.4 E(ac)-.15 E 4.9(kM)-.2 G -.1(ag)-4.9 G 2.4(azine V).1 F 2.4
(olume Se)-1.11 F 2.4(ven, Issue)-.15 F -1.05(Fo)341 252.6 S(rty-Nine)
1.05 E(.)-.15 E F1 10.84([2] BugT)316 268.8 R 23.623
(raq Mailing List Archi)-.35 F -.15(ve)-.25 G(s.).15 E(http://www)341
280.8 Q(.geek-girl.com/b)-.65 E 10.21(ugtraq/. This)-.2 F(web)10.21 E
.153(page contains searchable archi)341 292.8 R -.15(ve)-.25 G 2.653(so)
.15 G 2.654(ft)-2.653 G .154(he BugT)-2.654 F(raq)-.35 E(mailing list.)
341 304.8 Q 10.84([3] Brian)316 321 R 3.057 -.92(W. K)3.718 H 1.217
(ernighan, Dennis M. Ritchie.).67 F F2 1.217(The C)6.217 F(Pr)341 333 Q
-.1(og)-.45 G -.15(ra).1 G 1.6(mming Langua).15 F 1.8 -.1(ge, S)-.1 H
1.6(econd Edition.).1 F F1(Pren-)6.6 E(tice Hall, PTR, 1988.)341 345 Q
10.84([4] International)316 361.2 R(Standards Or)2.5 E -.05(ga)-.18 G
(nization.).05 E 5.024(\231C9X FCD, Programming languages \212 C\232)341
373.2 R(http://www)341 385.2 Q(old.dkuug.dk/jtc1/sc22/open/n2794/)-.1 E
1.548(This web page contains the current draft of the)341 397.2 R
(upcoming C9X standard.)341 409.2 Q 10.84([5] Andre)316 425.4 R 6.276
(wT)-.25 G 3.776(ridgell, P)-6.626 F 3.776(aul Mack)-.15 F(erras.)-.1 E
F2 3.776(The r)8.776 F(sync)-.1 E(algorithm.)341 437.4 Q F1
(http://rsync.samba.or)341 449.4 Q 11.42(g/rsync/tech_report/. This)-.18
F 1.508(web page contains a technical report describing)341 461.4 R
(the rsync program.)341 473.4 Q 10.84([6] The)316 489.6 R 2.548
(Apache Group.)5.048 F 2.548(The Apache W)7.548 F 2.549(eb Serv)-.8 F
(er)-.15 E(.)-.55 E(http://www)341 501.6 Q(.apache.or)-.65 E 4.133
(g. This)-.18 F 1.632(web page contains)4.133 F
(information on the Apache web serv)341 513.6 Q(er)-.15 E(.)-.55 E 10.84
([7] The)316 529.8 R .073(Apache Group.)2.572 F(Ne)5.073 E 2.573(wf)-.25
G .073(eatures in Apache v)-2.573 F(er)-.15 E(-)-.2 E 4.085(sion 1.3.)
341 541.8 R(http://www)9.085 E(.apache.or)-.65 E(g/docs/ne)-.18 E
(w_fea-)-.25 E 2.52(tures_1_3.html. This)341 553.8 R .02
(web page contains ne)2.52 F 2.52(wf)-.25 G(ea-)-2.52 E(tures in v)341
565.8 Q(ersion 1.3 of the Apache web serv)-.15 E(er)-.15 E(.)-.55 E
10.84([8] The)316 582 R 9.416(Ncurses \(ne)11.916 F 11.916(wc)-.25 G
9.416(urses\) home page.)-11.916 F(http://www)341 594 Q
(.clark.net/pub/dick)-.65 E -.15(ey)-.1 G 11.58(/ncurses/. This).15 F
1.043(web page contains Ncurses information and dis-)341 606 R(trib)341
618 Q(utions.)-.2 E 10.84([9] F)316 634.2 R 1.373(orrest J. Ca)-.15 F
-.25(va)-.2 G 1.373(lier III.).25 F 1.374(\231Libmib allocated string)
6.373 F(functions.)341 646.2 Q 21.85<9a68>-.7 G(ttp://www)-21.85 E
(.mibsoftw)-.65 E(are.com/lib-)-.1 E 3.726(mib/astring/. This)341 658.2
R 1.227(web page contains a descrip-)3.726 F 1.266
(tion and implementation of a set of string func-)341 670.2 R .302
(tions that dynamically allocate memory as neces-)341 682.2 R(sary)341
694.2 Q(.)-.65 E EP
%%Trailer
end
%%EOF