16

I have an old project that is mixed C and C++. It makes extensive use of C strings and of strcpy,strcat,strncpy,strncat etc. I've uncovered a number of buffer overflows, and I'd like to use more secure functions, such as strcpy_s. MSVC includes those functions, but I need something that will work on various platforms - linux, osx, and windows at the least.

I do know of strlcpy, but as plenty of people have noted (example), it really isn't an improvement.

So: Are there any free implementations of strcpy_s, strcat_s, etc, or of the entire TR24731-1?

I need something that's either public domain or BSD, but if you know of implementations under other licenses, go ahead and list them - I'm sure someone else will benefit.

Mark
  • 1,035
  • 2
  • 11
  • 24
  • Is the `MIT` license okay? It's basically [BSD-3](http://en.wikipedia.org/wiki/BSD_licenses#3-clause_license_.28.22New_BSD_License.22_or_.22Modified_BSD_License.22.29) without the third clause, if I'm not mistaken. – Joey Adams Apr 09 '12 at 00:45
  • Yes, MIT is fine. I forgot to mention it. Thx `:)` – Mark Apr 09 '12 at 00:53
  • You may be interested in using `mudflap` on Linux. From the documentation: "Modules so instrumented should be immune to buffer overflows, invalid heap use, and some other classes of C/C++ programming errors." It is enabled by `-fmudflap` on GCC, requires installing the `mudflap` library, but probably should be avoided for the C++ parts. – Dietrich Epp Apr 09 '12 at 01:09
  • 1
    As an alternative, avoiding a separate library, you can abuse the (standard as of C99) `snprintf` to accomplish the task correctly/safely (if possibly ever-so-slightly slower due to format string handling). A bad `strncpy(dst, src, dstlen)` can convert directly to a good `snprintf(dst, dstlen, "%s", src);`; it even returns the number of characters written, so you can test for truncation (if the return value is `>= dstlen`, the output was truncated). – ShadowRanger Jun 21 '18 at 16:09

3 Answers3

18

Try with the Safe C library. It's under the MIT license and according to this list implements the functions you're looking for:

The Safe C Library provides bound checking memory and string functions per ISO/IEC TR24731. These functions are alternative functions to the existing standard C library that promote safer, more secure programming

Óscar López
  • 232,561
  • 37
  • 312
  • 386
  • 1
    Good find! I spent quite a bit of time trying to coax an answer out of The Google, but didn't have any luck. – Mark Apr 09 '12 at 13:27
5

You can use memcpy and memset etc, which are portable and safer than string functions.

P.P
  • 117,907
  • 20
  • 175
  • 238
  • 1
    This is an excellent suggestion. Calling `strlen` once and then using explicit-length memory operations is a very nice way to deal safely with strings. – Stephen Canon Apr 09 '12 at 12:29
  • performance can be the problem http://programminginadarkroom.blogspot.it/2012/02/c-strcpy-vs-memcpy-for-copying-string.html – Massimo Fazzolari Jun 06 '13 at 21:03
  • @MassimoFazzolari That's a poor way of benchmarking. In each of those memcpy calls there's a call to strlen(). With optimizations enabled, both memcpy and strcpy gave me the same time for that code (as compiler likely to loops as they repeatedly overwrite the same string). Without any optimization and replacing `strlen(in)` with 12 showed memcpy is twice as fast as strcpy. – P.P Jun 07 '13 at 07:53
2

Why not using strncpy and strncat? Contrary to strlcpy and strlcat, they are standard C functions. These functions are not perfect but you can use them safely.

And also note that the bounds-checking _s functions are optional in the current Standard.

ouah
  • 142,963
  • 15
  • 272
  • 331
  • 5
    `strncpy` and `strncat` have some issues that make it hard to use them safely and efficiently; they do not guarantee NUL termination of the destination buffer, but they also do more work than is required for safety in always writing `n` characters even if the string is much shorter. – Stephen Canon Apr 09 '12 at 01:01
  • @StephenCanon but you can use them safely. – ouah Apr 09 '12 at 01:02
  • Strncpy and stncat are never a solution. They are even worse than the problem. Combined, they are even worse. (strncpy can result in an unterminated string if there is insufficient space, strncat can write at dest[len] ) – wildplasser Apr 09 '12 at 01:04
  • 1
    @wildplasser yes, don't forget to `- 1` for `strncpy` and `strncat` and null terminate the string yourself for `strncpy`. But these two functions, even if we admit they are badly designed, do what they are expected to do from the specifications. – ouah Apr 09 '12 at 01:10
  • The project already uses `strncpy` and `strncat` in some places. I've edited the question, but I meant for those functions to be implied by the 'etc'. Those functions _can_ be safely used, but it can be difficult. The code I'm working with can be pretty hard to follow, so it's not always obvious how big a string can possibly be. I want functions that will `fail noisily` when there are problems, and it is my understanding that the `*_s` functions will do just that. – Mark Apr 09 '12 at 01:12
  • 1
    Having to remember to add/substract 1 is a recipe for disaster. Best is still IMHO to only use the memxxx() functions and keep a manual count, or use snprintf() (which is stable since c99) – wildplasser Apr 09 '12 at 01:13