Module Name: src
Committed By: riastradh
Date: Fri Aug 11 09:39:39 UTC 2023
Modified Files:
src/lib/libc/string: Makefile.inc strcpy.3
Added Files:
src/lib/libc/string: strncpy.3
Log Message:
strncpy(3), stpncpy(3): Split man page out of strcpy(3), stpcpy(3).
These are for substantively different purposes (fixed-width fields
with optional NUL padding vs NUL-terminated strings), so they don't
belong together.
Be more specific about the security issues.
To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/lib/libc/string/Makefile.inc
cvs rdiff -u -r1.23 -r1.24 src/lib/libc/string/strcpy.3
cvs rdiff -u -r0 -r1.1 src/lib/libc/string/strncpy.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libc/string/Makefile.inc
diff -u src/lib/libc/string/Makefile.inc:1.87 src/lib/libc/string/Makefile.inc:1.88
--- src/lib/libc/string/Makefile.inc:1.87 Tue Aug 1 17:51:25 2023
+++ src/lib/libc/string/Makefile.inc Fri Aug 11 09:39:39 2023
@@ -1,5 +1,5 @@
# from: @(#)Makefile.inc 8.1 (Berkeley) 6/4/93
-# $NetBSD: Makefile.inc,v 1.87 2023/08/01 17:51:25 christos Exp $
+# $NetBSD: Makefile.inc,v 1.88 2023/08/11 09:39:39 riastradh Exp $
# string sources
.PATH: ${ARCHDIR}/string ${.CURDIR}/string
@@ -60,9 +60,10 @@ MLINKS+=popcount.3 popcount64.3
MLINKS+=strcasecmp.3 strncasecmp.3
MLINKS+=strcat.3 strncat.3
MLINKS+=strcmp.3 strncmp.3
-MLINKS+=strcpy.3 strncpy.3 strcpy.3 stpcpy.3 strcpy.3 stpncpy.3
+MLINKS+=strcpy.3 stpcpy.3
MLINKS+=strlcpy.3 strlcat.3
MLINKS+=strlen.3 strnlen.3
+MLINKS+=strncpy.3 stpncpy.3
MLINKS+=strstr.3 strcasestr.3
MLINKS+=strstr.3 strnstr.3
MLINKS+=strchr.3 strchrnul.3
Index: src/lib/libc/string/strcpy.3
diff -u src/lib/libc/string/strcpy.3:1.23 src/lib/libc/string/strcpy.3:1.24
--- src/lib/libc/string/strcpy.3:1.23 Wed Apr 1 20:18:17 2015
+++ src/lib/libc/string/strcpy.3 Fri Aug 11 09:39:39 2023
@@ -30,16 +30,14 @@
.\" SUCH DAMAGE.
.\"
.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
-.\" $NetBSD: strcpy.3,v 1.23 2015/04/01 20:18:17 riastradh Exp $
+.\" $NetBSD: strcpy.3,v 1.24 2023/08/11 09:39:39 riastradh Exp $
.\"
-.Dd April 1, 2015
+.Dd August 11, 2023
.Dt STRCPY 3
.Os
.Sh NAME
.Nm stpcpy ,
-.Nm stpncpy ,
-.Nm strcpy ,
-.Nm strncpy
+.Nm strcpy
.Nd copy strings
.Sh LIBRARY
.Lb libc
@@ -48,11 +46,7 @@
.Ft char *
.Fn stpcpy "char * restrict dst" "const char * restrict src"
.Ft char *
-.Fn stpncpy "char * restrict dst" "const char * restrict src" "size_t len"
-.Ft char *
.Fn strcpy "char * restrict dst" "const char * restrict src"
-.Ft char *
-.Fn strncpy "char * restrict dst" "const char * restrict src" "size_t len"
.Sh DESCRIPTION
The
.Fn stpcpy
@@ -62,165 +56,73 @@ functions
copy the string
.Fa src
to
-.Fa dst
-(including the terminating
-.Ql \e0
-character).
-.Pp
-The
-.Fn stpncpy
-and
-.Fn strncpy
-functions copy at most
-.Fa len
-characters from
-.Fa src
-into
-.Fa dst .
-If
-.Fa src
-is less than
-.Fa len
-characters long,
-the remainder of
-.Fa dst
-is filled with
+.Fa dst ,
+including the terminating
.Ql \e0
-characters.
-Otherwise,
-.Fa dst
-is
-.Em not
-terminated.
+character.
.Pp
The strings
.Fa src
and
.Fa dst
may not overlap.
+The string
+.Fa src
+must be terminated by a
+.Ql \e0
+character.
+The memory for
+.Fa dst
+must have space for
+.Fn strlen src Li "+ 1"
+bytes.
.Sh RETURN VALUES
The
.Fn strcpy
-and
-.Fn strncpy
-functions
-return
+function returns
.Fa dst .
+.Pp
The
.Fn stpcpy
-and
-.Fn stpncpy
-functions return a pointer to the terminating
+function returns a pointer to the terminating
.Ql \e0
character of
.Fa dst .
-If
-.Fn stpncpy
-does not terminate
-.Fa dst
-with a
-.Dv NUL
-character, it instead returns a pointer to
-.Li dst[len]
-(which does not necessarily refer to a valid memory location.)
-.Sh EXAMPLES
-The following sets
-.Va chararray
-to
-.Dq Li abc\e0\e0\e0 :
-.Bd -literal -offset indent
-char chararray[6];
-
-(void)strncpy(chararray, "abc", sizeof(chararray));
-.Ed
-.Pp
-The following sets
-.Va chararray
-to
-.Dq Li abcdef :
-.Bd -literal -offset indent
-char chararray[6];
-
-(void)strncpy(chararray, "abcdefgh", sizeof(chararray));
-.Ed
-.Pp
-Note that it does
-.Em not
-.Dv NUL Ns No -terminate
-.Va chararray
-because the length of the source string is greater than or equal
-to the length parameter.
-.Fn strncpy
-.Em only
-.Dv NUL Ns No -terminates
-the destination string when the length of the source
-string is less than the length parameter.
-.Pp
-The following copies as many characters from
-.Va input
-to
-.Va buf
-as will fit and
-.Dv NUL Ns No -terminates
-the result.
-Because
-.Fn strncpy
-does
-.Em not
-guarantee to
-.Dv NUL Ns No -terminate
-the string itself, this must be done explicitly.
-.Bd -literal -offset indent
-char buf[1024];
-
-(void)strncpy(buf, input, sizeof(buf) - 1);
-buf[sizeof(buf) - 1] = '\e0';
-.Ed
-.Pp
-This could be better and more simply achieved using
-.Xr strlcpy 3 ,
-as shown in the following example:
-.Bd -literal -offset indent
-(void)strlcpy(buf, input, sizeof(buf));
-.Ed
-.Pp
-Note that because
-.Xr strlcpy 3
-is not defined in any standards, it should
-only be used when portability is not a concern.
.Sh SEE ALSO
.Xr bcopy 3 ,
.Xr memccpy 3 ,
.Xr memcpy 3 ,
.Xr memmove 3 ,
.Xr strlcpy 3 ,
+.Xr strncpy 3 ,
.Xr wcscpy 3
.Sh STANDARDS
The
.Fn strcpy
-and
-.Fn strncpy
-functions
-conform to
+function conforms to
.St -isoC-99 .
+.Pp
The
.Fn stpcpy
-and
-.Fn stpncpy
-functions conform to
+function conforms to
.St -p1003.1-2008 .
.Sh HISTORY
The
.Fn stpcpy
-and
-.Fn stpncpy
-functions first appeared in
+function first appeared in
.Nx 6.0 .
.Sh SECURITY CONSIDERATIONS
The
.Fn strcpy
and
.Fn stpcpy
-functions are easily misused in a manner which enables malicious users
-to arbitrarily change a running program's functionality through a
-buffer overflow attack.
+functions copy until a
+.Ql \e0
+terminator without any bounds checks on the size of the input or output
+buffers.
+If the input buffer is missing a
+.Ql \e0
+terminator, or the input string is longer than the output buffer, this
+can lead to crashes or security vulnerabilities from buffer overruns,
+including disclosure of secrets in memory and arbitrary code
+execution.
Added files:
Index: src/lib/libc/string/strncpy.3
diff -u /dev/null src/lib/libc/string/strncpy.3:1.1
--- /dev/null Fri Aug 11 09:39:39 2023
+++ src/lib/libc/string/strncpy.3 Fri Aug 11 09:39:39 2023
@@ -0,0 +1,200 @@
+.\" Copyright (c) 1990, 1991, 1993
+.\" The Regents of the University of California. All rights reserved.
+.\"
+.\" This code is derived from software contributed to Berkeley by
+.\" Chris Torek and the American National Standards Committee X3,
+.\" on Information Processing Systems.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" from: @(#)strcpy.3 8.1 (Berkeley) 6/4/93
+.\" $NetBSD: strncpy.3,v 1.1 2023/08/11 09:39:39 riastradh Exp $
+.\"
+.Dd August 11, 2023
+.Dt STRNCPY 3
+.Os
+.Sh NAME
+.Nm stpncpy ,
+.Nm strncpy
+.Nd copy fixed-width string buffers
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In string.h
+.Ft char *
+.Fn stpncpy "char * restrict dst" "const char * restrict src" "size_t len"
+.Ft char *
+.Fn strncpy "char * restrict dst" "const char * restrict src" "size_t len"
+.Sh DESCRIPTION
+The
+.Fn stpncpy
+and
+.Fn strncpy
+functions copy at most
+.Fa len
+.No non- Ns Ql \e0
+characters from
+.Fa src
+into
+.Fa dst .
+If
+.Fa src
+is less than
+.Fa len
+characters long before the first
+.Ql \e0
+character, the remainder of
+.Fa dst
+is filled with
+.Ql \e0
+characters.
+Otherwise,
+.Fa dst
+is
+.Em not
+terminated with a
+.Ql \e0
+character.
+.Pp
+The strings
+.Fa src
+and
+.Fa dst
+may not overlap.
+.Sh RETURN VALUES
+The
+.Fn strncpy
+function returns
+.Fa dst .
+.Pp
+The
+.Fn stpncpy
+function returns a pointer to the terminating
+.Ql \e0
+character of
+.Fa dst .
+If
+.Fn stpncpy
+does not terminate
+.Fa dst
+with a
+.Dv NUL
+character, it instead returns a pointer to
+.Fa dst Ns Li "[" Fa len Ns Li "]" Ns ,
+which may be one past the last element of an array.
+.Sh EXAMPLES
+The following sets
+.Va chararray
+to
+.Dq Li abc\e0\e0\e0 :
+.Bd -literal -offset indent
+char chararray[6];
+
+(void)strncpy(chararray, "abc", sizeof(chararray));
+.Ed
+.Pp
+The following sets
+.Va chararray
+to
+.Dq Li abcdef :
+.Bd -literal -offset indent
+char chararray[6];
+
+(void)strncpy(chararray, "abcdefgh", sizeof(chararray));
+.Ed
+.Pp
+Note that it does
+.Em not
+.Dv NUL Ns No -terminate
+.Va chararray
+because the length of the source string is greater than or equal
+to the length parameter.
+.Fn strncpy
+.Em only
+.Dv NUL Ns No -terminates
+the destination string when the length of the source
+string is less than the length parameter.
+.Pp
+The following copies as many characters from
+.Va input
+to
+.Va buf
+as will fit and
+.Dv NUL Ns No -terminates
+the result.
+Because
+.Fn strncpy
+does
+.Em not
+guarantee to
+.Dv NUL Ns No -terminate
+the string itself, this must be done explicitly.
+.Bd -literal -offset indent
+char buf[1024];
+
+(void)strncpy(buf, input, sizeof(buf) - 1);
+buf[sizeof(buf) - 1] = '\e0';
+.Ed
+.Pp
+This could be better and more simply achieved using
+.Xr strlcpy 3 ,
+as shown in the following example:
+.Bd -literal -offset indent
+(void)strlcpy(buf, input, sizeof(buf));
+.Ed
+.Pp
+Note that because
+.Xr strlcpy 3
+is not defined in any standards, it should
+only be used when portability is not a concern.
+.Sh SEE ALSO
+.Xr bcopy 3 ,
+.Xr memccpy 3 ,
+.Xr memcpy 3 ,
+.Xr memmove 3 ,
+.Xr strcpy 3 ,
+.Xr strlcpy 3 ,
+.Xr wcscpy 3
+.Sh STANDARDS
+The
+.Fn strncpy
+function conforms to
+.St -isoC-99 .
+.Pp
+The
+.Fn stpncpy
+function conforms to
+.St -p1003.1-2008 .
+.Sh HISTORY
+The
+.Fn stpncpy
+function first appeared in
+.Nx 6.0 .
+.Sh SECURITY CONSIDERATIONS
+The
+.Fn stpncpy
+and
+.Fn strncpy
+functions are not guaranteed to NUL-terminate the result.
