USENIX Technical Program - Abstract - USENIX 99
strlcpy and strlcat--Consistent, Safe, String Copy and Concatenation
Todd C. Miller, University of Colorado, Boulder; Theo de Raadt, The OpenBSD
Project
Abstract
As the prevalence of buffer overflow attacks has increased, more
and more programmers are using size or length-bounded string functions
such as strncpy() and strncat(). While this is certainly an
encouraging trend, the standard C string functions generally used
were not really designed for the task. This paper describes an
alternate, intuitive, and consistent API designed with safe string
copies in mind.
There are several problems encountered when strncpy() and strncat()
are used as safe versions of strcpy() and strcat(). Both functions
deal with NUL-termination and the length parameter in different and
non-intuitive ways that confuse even experienced programmers. They
also provide no easy way to detect when truncation occurs. Finally,
strncpy() zero-fills the remainder of the destination string,
incurring a performance penalty. Of all these issues, the confusion
caused by the length parameters and the related issue of NUL-termination
are most important. When we audited the OpenBSD source tree for
potential security holes we found rampant misuse of strncpy() and
strncat(). While not all of these resulted in exploitable security
holes, they made it clear that the rules for using strncpy() and
strncat() in safe string operations are widely misunderstood. The
proposed replacement functions, strlcpy() and strlcat(), address
these problems by presenting an API designed for safe string copies
(see Figure 1 for function prototypes).
Both functions guarantee NUL-termination, take as a length parameter
the size of the string in bytes, and provide an easy way to detect
truncation. Neither function zero-fills unused bytes in the
destination.
|