int64.org

strncpy is not your friend

Being in IRC, every so often you will find some­one herald­ing the use of strncpy for writ­ing se­cure code. A lot of the time they are just going off what oth­ers have said, and can’t even tell you what strncpy re­ally does. strncpy is a prob­lem for two rea­sons:

• It silently trun­cates data. When, in all of your ex­pe­ri­ence cod­ing, has silent trun­ca­tion been ac­cept­able be­hav­ior? Re­plac­ing one bug (a buffer over­flow) with silent trun­ca­tion is not a fix, it’s just hid­ing the prob­lem.
• strncpy does not do what you think it does. It is not made for se­cu­rity—in fact, if the buffer runs out of room it will copy into the last char­ac­ter, not adding a null ter­mi­na­tor! So once again, you re­place a buffer over­flow with an­other bug.

Bugs hap­pen. Some­times we build san­ity checks into pro­grams to com­bat un­known ones be­fore they be­come a prob­lem. But strncpy is not a san­ity check or se­cu­rity fea­ture—using it in­stead of re­siz­ing a buffer to ac­com­mo­date the data, or just out­right re­ject­ing the data if it gets too big is a bug.

Related Posts

• Writ­ing a good parser on Jan­u­ary 02, 2008 in C, Cod­ing
• Vi­sual Stu­dio 2008 re­leased, TR1 sup­port com­ing on No­vem­ber 24, 2007 in Cod­ing
• MSDN Con­tent Ser­vice on De­cem­ber 02, 2007 in Cod­ing
• Is C# the Boost of C-fam­ily lan­guages? on Oc­to­ber 28, 2010 in C, Cod­ing
• C++0x work pro­gress­ing on No­vem­ber 28, 2007 in Cod­ing