I am using the code below
char call[64] = {'\0'} /* clean buffer */
strncpy(call, info.called, sizeof(call));
I always use the sizeof for the destination for protecting a overflow, incase source is greater than the destination. This way I can prevent a buffer overflow as it will only copy as much as the destination can handle.
But I am now wondering if it will null terminate the destination.
A couple of cases.
1) If the source is greater.
I could do this:
call[strlen(call) - 1] = '\0'; /* insert a null at the last element.*/
2) If the source is less than the destination.
call is 64 bytes, and I copy 50 bytes as that is the size of the source. Will it automatically put the null in the 51 element?
Many thanks for any information,
strncpy will not null-terminate the destination if it truncates the string. If you must use strncpy, you need to ensure that the result is terminated, something like:
strncpy(call, info.called, sizeof(call) - 1);
call[sizeof(call) - 1] = '\0';
BSD's strlcpy(), among others, is generally considered superior:
http://www.openbsd.org/cgi-bin/man.cgi?query=strlcpy
If the source's length is less than the max number passed as third parameter strncpy will null-terminate the destination, otherwise - not.
If the source is equal or greater in length than the destination - it's your problem to deal with it. Doing like you suggest - calling strlen() - will not work since the buffer will be not null-terminated and you'll run into undefined behaviour.
You could allocate a bigger buffer:
char buffer[bufferSize + 1];
strncpy( buffer, source, bufferSize );
*(buffer + bufferSize ) = 0;
Your idea:
call[strlen(call) - 1] = '\0';
would not work, as you would be calling strlen() on a non-terminated string
1) From cplusplus.com: "No null-character is implicitly appended to the end of destination, so destination will only be null-terminated if the length of the C string in source is less than num." So you if you need your string to be null-terminated, you need to do this:
call[sizeof(call) - 1] = '\0';
A good way to do this would be to write a wrapper function for strncpy that always makes sure the string is terminated.
2) If the source is shorter than the destination, the destination will be null-terminated.
But I am now wondering if it will null terminate the destination.
No, strncpy does not promise that target string would be null terminated.
char tar[2]={0,0};
char bar="AB";
strncpy(tar,bar,2);
// result tar[0]=='A'; tar[1]=='B'
It order to make it correct you should use:
strncpy(traget,string,sizeof(target)-1);
target[sizeof(target)-1]=0
Just use strlcpy() instead of strncpy().
You'll have to check if it's available on all platforms.
Early versions of linux probably don't have it.
Use strlcpy in same way as strncpy. no need to do size-1 in 3rd parameter
i.e:
strncpy(call, info.called, sizeof(call)-1);
or
strlcpy(call, info.called, sizeof(call));
Related
I want to append a string literal to destination. I can use strcat or strncat:
strcat(dest, "values");
Or
strncat(dest, "values", sizeof("values") - 1);
strcat has shorter code, it looks neat.
But I wonder about their runtime performance.
Is strncat slightly faster at runtime because there's no need to locate terminator?
Or maybe compilers could do optimization and so there is no difference?
First, both strcat and strncat loks for the null terminator, the difference is that strncat also check for the size of the copied data, and will copy only n bytes.
Second, since strcat does not check for the size of the copied data, and copies until it gets to a null terminator, it might (and will!!) cause a buffer overflow, overriding data that is stored in memory after the buffer you copy to.
Third, your usage of the strncat is not safer, as you limit the copy by the size of the source buffer, not the destination buffer. E.g. to use it correctly you should pass the size of the destination buffer:
strncat(dest, "values", sizeof(dest) -1 );
Fourth, if the size of the source string is bigger than than n of the destination, a null terminator will not be appended, so after the call to strncat you should add it yourself:
strncat(dest, "values", sizeof(dest) -1 );
dest[sizeof(dest) - 1] = '\0';
Last thing, since this is strncat, and it copies to wherever the destination string terminates, the size calculation is slightly more complex and is actually:
strncat(dest, "values", total_size_of_dest_buffer - strlen(dest) - 1 );
I am absolutely sure, that performance is not an issue here.
If you take a look at sources of both functions strcpy() and strncpy() (from glibc) you'll find out that both of them need to iterate over each character of src argument.
Use strcpy() as it's much easier to read and maintain, and is less error-prone.
Also, if there is anything that could optimize this code, I guess any decent compiler will handle that, as it seems to be quite common expression.
Is strncat slightly faster at runtime because there's no need to locate terminator?
char *strncat(char * restrict s1, const char * restrict s2, size_t n);
Unlikely. In general, char *strncat() needs to locate a null character in s2, if it exists before s2[n], as concatenation stop before n characters. Of course, the
null character in s2 of strcpy(s1,s2) needs to be found.
strncat(dest, "values", sizeof("values") - 1); may be slower than strcat(dest, "values"); and is not safer.
Code that does not overrun the array that may truncate:
// Assuming dest is an array
strncat(dest, "values", sizeof dest - strlen(dest) - 1);
An optimization compiler is allowed to "look-inside" well known functions like the ones below and emit code that "knows" the length/size of "values". such a compiler would certainly make equivalent performance code for the 2 below as the resultant functionality is identical - in this case.
strcat(dest, "values");
// or
strncat(dest, "values", sizeof("values") - 1);
I am using the code below:
char filename[ 255 ];
strncpy( filename, getenv( "HOME" ), 235 );
strncat( filename, "/.config/stationlist.xml", 255 );
Get this message:
(warning) Dangerous usage of strncat - 3rd parameter is the maximum number of characters to append.
(error) Dangerous usage of 'filename' (strncpy doesn't always null-terminate it).
I typically avoid using str*cpy() and str*cat(). You have to contend with boundary conditions, arcane API definitions, and unintended performance consequences.
You can use snprintf() instead. You only have to be contend with the size of the destination buffer. And, it is safer in that it will not overflow, and will always NUL terminate for you.
char filename[255];
const char *home = getenv("HOME");
if (home == 0) home = ".";
int r = snprintf(filename, sizeof(filename), "%s%s", home, "/.config/stationlist.xml");
if (r >= sizeof(filename)) {
/* need a bigger filename buffer... */
} else if (r < 0) {
/* handle error... */
}
You may overflow filename with your strncat call.
Use:
strncat(filename, "/.config/stationlist.xml",
sizeof filename - strlen(filename) - 1);
Also be sure to null terminate your buffer after strncpy call:
strncpy( filename, getenv( "HOME" ), 235 );
filename[235] = '\0';
as strncpy does not null terminate its destination buffer if the length of the source is larger or equal than the maximum number of character to copy.
man strncpy has this to say:
Warning: If there is no null byte among the first n bytes
of src, the string placed in dest will not be null terminated.
If it encounters the 0 byte in the source before it exhausts the maximum length, it will be copied. But if the maximum length is reached before the first 0 in the source, the destination will not be terminated. Best to make sure it is yourself after strncpy() returns...
Both strncpy() and (even more so) strncat() have non-obvious behaviours and you would be best off not using either.
strncpy()
If your target string is, for sake of argument, 255 bytes long, strncpy() will always write to all 255 bytes. If the source string is shorter than 255 bytes, it will zero pad the remainder. If the source string is longer than 255 bytes, it will stop copying after 255 bytes, leaving the target without a null terminator.
strncat()
The size argument for most of the 'sized' functions (strncpy(), memcpy(), memmove(), etc) is the number of bytes in the target string (memory). With strncat(), the size is the amount of space left after the end of the string that's already in the target. Therefore, you can only safely use strncat() when you know both how big the target buffer is (S) and how long the target string currently is (L). The safe parameter to strncat() is then S-L (we'll worry about whether there's an off-by-one some other time). But given that you know L, there is no point in making strncat() skip the L characters; you could have passed target+L as the place to start, and simply copied the data. And you could use memmove() or memcpy(), or you could use strcpy(), or even strncpy(). If you don't know the length of the source string, you've got to be confident that it makes sense to truncate it.
Analysis of code in question
char filename[255];
strncpy(filename, getenv("HOME"), 235);
strncat(filename, "/.config/stationlist.xml", 255);
The first line is unexceptionable unless the size is deemed too small (or you run the program in a context where $HOME is not set), but that's out of scope for this question. The call to strncpy() does not use sizeof(filename) for the size, but rather an arbitrarily small number. It isn't the end of the world, but there's no guarantee that the last 20 bytes of the variable are zero bytes (or even that any of them is a zero byte), in general. Under some circumstances (filename is a global variable, previously unused) the zeros might be guaranteed.
The strncat() call tries to append 24 characters to the end of the string in filename that might already be 232-234 bytes long, or that might be arbitrarily longer than 235 bytes. Either way, that is a guaranteed buffer overflow. The usage of strncat() also falls directly into the trap about its size. You've said that it is OK to add up to 255 characters beyond the end of what's already in filename, which is blatantly wrong (unless the string from getenv("HOME") happens to be empty).
Safer code:
char filename[255];
static const char config_file[] = "/.config/stationlist.xml";
const char *home = getenv("HOME");
size_t len = strlen(home);
if (len > sizeof(filename) - sizeof(config_file))
...error file name will be too long...
else
{
memmove(filename, home, len);
memmove(filename+len, config_file, sizeof(config_file));
}
There will be those who insist that 'memcpy() is safe because the strings cannot overlap', and at one level they're correct, but overlap should be a non-issue and with memmove(), it is a non-issue. So, I use memmove() all the time...but I've not done the timing measurements to see how big of a problem it is, if it is a problem at all. Maybe the other people have done the measurements.
Summary
Don't use strncat().
Use strncpy() cautiously (noting its behaviour on very big buffers!).
Plan to use memmove() or memcpy() instead; if you can do the copy safely, you know the sizes necessary to make this sensible.
1) Your strncpy does not necessarily null-terminate filename. In fact, if getenv("HOME") is longer than 235 characters and getenv("HOME")[234] is not a 0, it won't.
2) Your strncat() may attempt to extend filename beyond 255 characters, because, as it says,
3rd parameter is the maximum number of characters to append.
(not the total allowed length of dst)
strncpy(Copied_to,Copied_from,sizeof_input) outputs garbage values after the character array (not used for string type). To solve it output using a for loop traversing the character array rather than simply using cout<<var;
for(i=0;i<size;i++){cout<<var[i]}
I couldn't find a work around for traversal on a windows system using minGW compiler.
Null termination does not solve the problem. Online compilers works just fine.
When I run some code on my machine then it behaves as I expect it to.
When I run it on a colleagues it misbehaves. This is what happens.
I have a string with a value of:
croc_data_0001.idx
when I do a strncpy on the string providing 18 as the length my copied string has a value of:
croc_data_0001.idx♂
If I do the following
myCopiedString[18]='\0';
puts (myCopiedString);
Then the value of the copied string is:
croc_data_0001.idx
What could be causing this problem and why does it get resolved by setting the last char to \0?
According to http://www.cplusplus.com/reference/clibrary/cstring/strncpy/
char * strncpy ( char * destination, const char * source, size_t num );
Copy characters from string
Copies the first num characters of source to destination. If the end
of the source C string (which is signaled by a null-character) is
found before num characters have been copied, destination is padded
with zeros until a total of num characters have been written to it.
No null-character is implicitly appended to the end of destination, so destination will only be null-terminated if the length
of the C string in source is less than num.
Thus, you need to manually terminate your destination with '\0'.
strncpy does not want the size of the string to be copied, but the size of the target buffer.
In your case, the target buffer is 1 too short, disabling strncpy to zero-terminate the string. So everything that is behind the string resp. position 18 and is non-zero will be treated as belonging to the string.
Normally, functions taking a buffer size are called with exactly that, i. e.
char dest[50];
strncpy(dest, "croc_data_0001.idx", sizeof dest);
With this and an additional
dest[sizeof dest - 1] = '\0';
the string will always be 0-terminated.
I think the C standard describes this function in a clearer manner than the links others have posted.
ISO 9899:2011
7.24.2.4 The strncpy function
char *strncpy (char * restrict s1,
const char * restrict s2,
size_t n);
The strncpy function copies not more than n characters (characters that follow a null
character are not copied) from the array pointed to by s2 to the array pointed to by s1. If copying takes place between objects that overlap, the behavior is undefined.
If the array pointed to by s2 is a string that is shorter than n characters, null characters
are appended to the copy in the array pointed to by s1, until n characters in all have been
written.
how much space have been alloted to myCopiedString variable? if its more than the length of the source string, then make sure you use bzero to clear out the destination variable.
strncpy does not always add a \0. See http://www.cplusplus.com/reference/clibrary/cstring/strncpy/
So either clear out your destination buffer beforehand, or always add the \0 yourself, or use strcpy.
If the question is: "why does uninitialised memory on my machine have different content than on another machine", well, one can only guess.
Edit changed wording somewhat; see comment.
For doing string concatenation, I've been doing basic strcpy, strncpy of char* buffers. Then I learned about the snprintf and friends.
Should I stick with my strcpy, strcpy + \0 termination? Or should I just use snprintf in the future?
For most purposes I doubt the difference between using strncpy and snprintf is measurable.
If there's any formatting involved I tend to stick to only snprintf rather than mixing in strncpy as well.
I find this helps code clarity, and means you can use the following idiom to keep track of where you are in the buffer (thus avoiding creating a Shlemiel the Painter algorithm):
char sBuffer[iBufferSize];
char* pCursor = sBuffer;
pCursor += snprintf(pCursor, sizeof(sBuffer) - (pCursor - sBuffer), "some stuff\n");
for(int i = 0; i < 10; i++)
{
pCursor += snprintf(pCursor, sizeof(sBuffer) - (pCursor - sBuffer), " iter %d\n", i);
}
pCursor += snprintf(pCursor, sizeof(sBuffer) - (pCursor - sBuffer), "into a string\n");
snprintf is more robust if you want to format your string. If you only want to concatenate, use strncpy (don't use strcpy) since it's more efficient.
As others did point out already: Do not use strncpy.
strncpy will not zero terminate in case of truncation.
strncpy will zero-pad the whole buffer if string is shorter than buffer. If buffer is large, this may be a performance drain.
snprintf will (on POSIX platforms) zero-terminate. On Windows, there is only _snprintf, which will not zero-terminate, so take that into account.
Note: when using snprintf, use this form:
snprintf(buffer, sizeof(buffer), "%s", string);
instead of
snprintf(buffer, sizeof(buffer), string);
The latter is insecure and - if string depends on user input - can lead to stack smashes, etc.
sprintf has an extremely useful return value that allows for efficient appending.
Here's the idiom:
char buffer[HUGE] = {0};
char *end_of_string = &buffer[0];
end_of_string += sprintf( /* whatever */ );
end_of_string += sprintf( /* whatever */ );
end_of_string += sprintf( /* whatever */ );
You get the idea. This works because sprintf returns the number of characters it wrote to the buffer, so advancing your buffer by that many positions will leave you pointing to the '\0' at the end of what's been written so far. So when you hand the updated position to the next sprintf, it can start writing new characters right there.
Constrast with strcpy, whose return value is required to be useless. It hands you back the same argument you passed it. So appending with strcpy implies traversing the entire first string looking for the end of it. And then appending again with another strcpy call implies traversing the entire first string, followed by the 2nd string that now lives after it, looking for the '\0'. A third strcpy will re-traverse the strings that have already been written yet again. And so forth.
So for many small appends to a very large buffer, strcpy approches (O^n) where n is the number of appends. Which is terrible.
Plus, as others mentioned, they do different things. sprintf can be used to format numbers, pointer values, etc, into your buffer.
I think there is another difference between strncpy and snprintf.
Think about this:
const int N=1000000;
char arr[N];
strncpy(arr, "abce", N);
Usually, strncpy will set the rest of the destination buffer to '\0'. This will cost lots of CPU time. While when you call snprintf,
snprintf(a, N, "%s", "abce");
it will leave the buffer unchanged.
I don't know why strncpy will do that, but in this case, I will choose snprintf instead of strncpy.
All *printf functions check formatting and expand its corresponding argument, thus it is slower than a simple strcpy/strncpy, which only copy a given number of bytes from linear memory.
My rule of thumb is:
Use snprintf whenever formatting is needed.
Stick to strncpy/memcpy when only need to copy a block of linear memory.
You can use strcpy whenever you know exatcly the size of buffers you're copying. Don't use that if you don't have full control over the buffers size.
strcpy, strncpy, etc. only copies strings from one memory location to another. But, with snprint, you can do more stuff like formatting the string. Copying integers into buffer, etc.
It purely depends on your requirement which one to use. If as per your logic, strcpy & strncpy is already working for you, there is no need to jump to snprintf.
Also, remember to use strncpy for better safety as suggested by others.
The difference between strncpy and snprintf is that strncpy basically lays on you responsibility of terminating string with '\0'. It may terminate dst with '\0' but only if src is short enough.
Typical examples are:
strncpy(dst, src, n);
// if src is longer than n dst will not contain null
// terminated string at this point
dst[n - 1] = '\0';
snprintf(dst, n, "%s", src); // dst will 100% contain null terminated string
Edit: I've added the source for the example.
I came across this example:
char source[MAX] = "123456789";
char source1[MAX] = "123456789";
char destination[MAX] = "abcdefg";
char destination1[MAX] = "abcdefg";
char *return_string;
int index = 5;
/* This is how strcpy works */
printf("destination is originally = '%s'\n", destination);
return_string = strcpy(destination, source);
printf("after strcpy, dest becomes '%s'\n\n", destination);
/* This is how strncpy works */
printf( "destination1 is originally = '%s'\n", destination1 );
return_string = strncpy( destination1, source1, index );
printf( "After strncpy, destination1 becomes '%s'\n", destination1 );
Which produced this output:
destination is originally = 'abcdefg'
After strcpy, destination becomes '123456789'
destination1 is originally = 'abcdefg'
After strncpy, destination1 becomes '12345fg'
Which makes me wonder why anyone would want this effect. It looks like it would be confusing. This program makes me think you could basically copy over someone's name (eg. Tom Brokaw) with Tom Bro763.
What are the advantages of using strncpy() over strcpy()?
The strncpy() function was designed with a very particular problem in mind: manipulating strings stored in the manner of original UNIX directory entries. These used a short fixed-sized array (14 bytes), and a nul-terminator was only used if the filename was shorter than the array.
That's what's behind the two oddities of strncpy():
It doesn't put a nul-terminator on the destination if it is completely filled; and
It always completely fills the destination, with nuls if necessary.
For a "safer strcpy()", you are better off using strncat() like so:
if (dest_size > 0)
{
dest[0] = '\0';
strncat(dest, source, dest_size - 1);
}
That will always nul-terminate the result, and won't copy more than necessary.
strncpy combats buffer overflow by requiring you to put a length in it. strcpy depends on a trailing \0, which may not always occur.
Secondly, why you chose to only copy 5 characters on 7 character string is beyond me, but it's producing expected behavior. It's only copying over the first n characters, where n is the third argument.
The n functions are all used as defensive coding against buffer overflows. Please use them in lieu of older functions, such as strcpy.
While I know the intent behind strncpy, it is not really a good function. Avoid both. Raymond Chen explains.
Personally, my conclusion is simply to avoid strncpy and all its friends if you are dealing with null-terminated strings. Despite the "str" in the name, these functions do not produce null-terminated strings. They convert a null-terminated string into a raw character buffer. Using them where a null-terminated string is expected as the second buffer is plain wrong. Not only do you fail to get proper null termination if the source is too long, but if the source is short you get unnecessary null padding.
See also Why is strncpy insecure?
strncpy is NOT safer than strcpy, it just trades one type of bugs with another. In C, when handling C strings, you need to know the size of your buffers, there is no way around it. strncpy was justified for the directory thing mentioned by others, but otherwise, you should never use it:
if you know the length of your string and buffer, why using strncpy ? It is a waste of computing power at best (adding useless 0)
if you don't know the lengths, then you risk silently truncating your strings, which is not much better than a buffer overflow
What you're looking for is the function strlcpy() which does terminate always the string with 0 and initializes the buffer. It also is able to detect overflows. Only problem, it's not (really) portable and is present only on some systems (BSD, Solaris). The problem with this function is that it opens another can of worms as can be seen by the discussions on
http://en.wikipedia.org/wiki/Strlcpy
My personal opinion is that it is vastly more useful than strncpy() and strcpy(). It has better performance and is a good companion to snprintf(). For platforms which do not have it, it is relatively easy to implement.
(for the developement phase of a application I substitute these two function (snprintf() and strlcpy()) with a trapping version which aborts brutally the program on buffer overflows or truncations. This allows to catch quickly the worst offenders. Especially if you work on a codebase from someone else.
EDIT: strlcpy() can be implemented easily:
size_t strlcpy(char *dst, const char *src, size_t dstsize)
{
size_t len = strlen(src);
if(dstsize) {
size_t bl = (len < dstsize-1 ? len : dstsize-1);
((char*)memcpy(dst, src, bl))[bl] = 0;
}
return len;
}
The strncpy() function is the safer one: you have to pass the maximum length the destination buffer can accept. Otherwise it could happen that the source string is not correctly 0 terminated, in which case the strcpy() function could write more characters to destination, corrupting anything which is in the memory after the destination buffer. This is the buffer-overrun problem used in many exploits
Also for POSIX API functions like read() which does not put the terminating 0 in the buffer, but returns the number of bytes read, you will either manually put the 0, or copy it using strncpy().
In your example code, index is actually not an index, but a count - it tells how many characters at most to copy from source to destination. If there is no null byte among the first n bytes of source, the string placed in destination will not be null terminated
strncpy fills the destination up with '\0' for the size of source, eventhough the size of the destination is smaller....
manpage:
If the length of src is less than n, strncpy() pads the remainder of
dest with null bytes.
and not only the remainder...also after this until n characters is
reached. And thus you get an overflow... (see the man page
implementation)
This may be used in many other scenarios, where you need to copy only a portion of your original string to the destination. Using strncpy() you can copy a limited portion of the original string as opposed by strcpy(). I see the code you have put up comes from publib.boulder.ibm.com.
That depends on our requirement.
For windows users
We use strncpy whenever we don't want to copy entire string or we want to copy only n number of characters. But strcpy copies the entire string including terminating null character.
These links will help you more to know about strcpy and strncpy
and where we can use.
about strcpy
about strncpy
the strncpy is a safer version of strcpy as a matter of fact you should never use strcpy because its potential buffer overflow vulnerability which makes you system vulnerable to all sort of attacks