ansaurus

Question

Answer 1

+6 A:

This function (strcpy) is considered unsafe due to the fact that there is no bounds checking and can lead to buffer overflow. (Actually strcpy is infamous for overflow exploits and all programmers avoid it-or at least should avoid it). The advice is to use a safe function which takes into account the size of the destination buffer to avoid overflow. You could also use strncpy (BUT with caution!). There is no problem with your code, i.e. the functions will run as you say but try giving as input a buffer that is larger than the destination buffer. The function will overflow the destination buffer. Check this also link text

2010-10-25 06:22:43

Well, all programmers avoid it to deal with **user input** without checkings. But in a context where you know for sure your string is NULL terminated, you can safely use it.

ereOn 2010-10-25 06:30:37

@ereOn:The problem is that standard C functions are unaware of the size of the destination buffer.Even if the input src buffer is properly NULL terminated, there is no way to stop the copy if the destination buffer is of smaller size.This has to be handled either by the calling function or a safe version of a strcpy function MUST be used. You are right that dealing with user input is a big issue. BUT overall still it is better to refrain using strcpy alltogether in all cases.

2010-10-25 06:55:05

Do not use strncpy(); it does not guarantee null-terminated strings, and if used to copy a short string into a large buffer it zealously zeroes out the unused part of the buffer, which is seldom really necessary. It was fine for its original job (copying up to 14 characters into a directory entry in the old Unix file system) but not really for much else.

Jonathan Leffler 2010-10-25 07:08:51

@Jonathan:Yes strnpy is unsafe IF used as it is, AND the programmer is unaware of its shuttle usage details.But it can be used as a base to create a new safer version of sting copy.

2010-10-25 07:32:28

@user384706: `strcpy` or `memcpy` can be used as a base to create a new safer version of string copy, and you'll get a better helper function as a result. There's no call for using `strncpy` anywhere near this problem.

Steve Jessop 2010-10-25 11:51:16

@Steve:memcpy is unaware of strings.I.e. it does not understand a NULL terminating character. It just copies the specified number of bytes from src to dest.So it is not a good idea to use memcpy. Additionally strncpy, understands both a NULL terminated string AND a user specified length.Underneath strcpy is called, but strncpy is still a better api to build on, for creating a safe version of string copy

2010-10-25 11:57:54

@user384706: `memcpy` isn't aware of NUL, but I the programmer am. If I'm writing a safer replacement for `strcpy`, then I'm going to do it at most once per project (probably less often, since in most C++ projects you can just use `std::string`), and I can afford to pay attention to both buffer lengths and NUL-termination, and get it right. Any such function written using `strncpy` would be better written using `memcpy`, or perhaps with no library calls at all, unless written by someone with no business programming C++ in the first place who would have messed up the `memcpy` version.

Steve Jessop 2010-10-25 12:04:22

I guess what I'm saying really is, that `strcpy` is "unsafe" when used a lot, because eventually you'll make a mistake. It's not "unsafe" when used once per project in a well-tested helper function. Or if it is, then the author doesn't need a CERT advisory telling him not to use `strcpy`, he needs a CERT advisory telling him not to use C or C++.

Steve Jessop 2010-10-25 12:06:31

@Steve:memcpy does not stop copying if it encounters a NULL terminating character.It accepts a user specified length instead, on how much data to copy.As a result, memcpy can not simply substitute strcpy. Memcpy is not for strings and is functionally different than strcpy.So what is your point?

2010-10-25 12:10:08

My point is that *if you're writing a safe replacement for strcpy*, and your code uses strncpy, then you have done it wrong. Obviously I never suggested that memcpy would "simply substitute" strcpy. It can't. And for that matter neither can strncpy.

Steve Jessop 2010-10-25 12:10:52

@steve:Really? And memcpy does the job? Memcpy is not for strings for reason already explained (does not stop copying if it encounters a NULL terminating character). If you have an authoritative reference for your opinion, I would be happy to learn it, so that I benefit.

2010-10-25 12:12:28

I know exactly what memcpy does. If you'd like to write your "safer version of string copy" that uses strncpy, then I'd be happy to show you how to improve on it with code that uses memcpy, or strcpy, or just a loop manipulating characters. Which one to use depends whether the source string length has already been computed (e.g. to allocate memory), so you won't find an authoritative source to do your thinking for you. My initial point remains that in no case is strncpy good for this.

Steve Jessop 2010-10-25 12:17:02

@steve:somehow the comments got mixed.Anyway, it is possible to write a safe function e.g. strcpy_secure that under the hood calls strncpy.strcpy_secure, acting as a wrapper, handle the saddle-ties of strncpy (e.g. the missing null termination depending on length provided), and in the strcpy_secure is fine.

2010-10-25 12:19:15

@user384706: possible, yes. But as I said right from the start, you'll get a better function if you do it without strncpy. Once you've handled the missing nul-termination case, strncpy still needlessly fills the destination buffer in every other case.

Steve Jessop 2010-10-25 12:20:51

@Steve:Ok, since memcpy's signature is void * memcpy ( void * destination, const void * source, size_t num ); and num is the number of bytes to copy from source to destination, i.e. it does not take into account the size of the destination buffer, and also does not stop copying even if a NULL terminating character is found, can you give a snippet presenting your safe version?Because as far as I can see, the simplest and most intuitive version (among memcpy and strncpy) is the use of strncpy

2010-10-25 12:41:56

Use memcpy if the length of the source string is already known, and a loop otherwise. It will therefore stop copying on the NUL byte, because that's what you told it to copy. I can't present a snippet, because I don't know what signature your preferred "safe version of string copy" has. My preferred safe string handling is `std::string`, so there's no point me writing snippets based on my preference. I do know that strncpy is a very clunky tool for the job, especially when copying a short string into a large buffer. I'm pretty confident that no `std::string` implementation uses `strncpy`.

Steve Jessop 2010-10-25 13:53:57

Answer 2

+6 A:

Since VC++ 8 strcpy() and a huge set of other functions are considered to be unsafe since they don't have bounds checking and can lead to a buffer overrun if misused.

You have two options:

if you're unsure - do what VC++ says and use "safe" functions. They will trigger an error handler that will terminate your program if something goes wrong.
if you know what you're doing - you know that no overrun will ever occur and all edge cases are handled by your code - define _CRT_SECURE_NO_WARNINGS prior to including CRT headers and this will make the warning go away.

sharptooth 2010-10-25 06:26:26

If you decide to use the "safe" functions you might like the VS 2010 extension I blogged about that flags these for you before you build, and offers you replacements in the tooltip. http://www.gregcons.com/KateBlog/BannedAPIsFlaggedForYou.aspx

Kate Gregory 2010-10-25 10:38:12

Answer 3

A:

That warning is basically informing you that strcpy is deprecated, because copying a string until \0 can easily lead to nasty problems (buffer overruns). The reason strcpy is still there and works is that it is part of the standard library legacy, but you should really consider using str*_s or strn* functions (which don't exclusively rely on finding the terminating \0).

Since buffer overruns are linked not only to security problems, but also to bugs which are relatively difficult to trace and fix, using plain vanilla str* functions is not only generally frowned upon, but can lead to people rejecting your code as inherently unsafe.

More details: http://www.safercode.com/blog/2008/11/04/unsafe-functions-in-c-and-their-safer-replacements-strings-part-i.html

Vladski 2010-10-25 06:30:26

Vladski: Your link explicitly says that the strn* functions you recommend are prone to problems.

Gabe 2010-10-25 07:20:32

Answer 4

+2 A:

While strcpy is a common string function, it has a history of being the source of many bugs and security holes in software (due to the ease of buffer overflows).

Microsoft, in an effort to promote safer coding in C and C++ has provided a suite of replacement functions for the dangerous string methods. Typically they have the original name postpended with _s. Hence the Microsoft secure version of strcpy is strcpy_s as recommended in the warning. Note this a Microsoft specific feature, it's not ubiquitious.

You've got a few options.

DEFINE _CRT_SECURE_NO_WARNINGS if you don't want to care about it, leaving the possibility of the security issues in your software.
Replace your string functions with the secure ones, leaving your software less portable as a consequence
Wrap the secure string functions and use the wrappers everywhere, providing enhanced security on Windows platforms, and falling back to the traditional versions on other platforms. The wrapper functions could be via a MACRO or compiled functions.

I typically do #3.

Montdidier 2010-10-25 06:30:53

[Sometimes the "safe" functions aren't so safe. :-O](http://stackoverflow.com/questions/2738260/false-sense-of-security-with-snprintf-s)

James McNellis 2010-10-25 06:33:09

I'm sure it's still possible to make mistakes, but did you have a specific example in mind?

Montdidier 2010-10-25 06:35:56

@Montdidier: Have you checked the link James McNellis posted in his comment ?

ereOn 2010-10-25 06:37:29

Oh. My eyes aren't working today. Ok, so there is a bug in some versions of Visual Studio.

Montdidier 2010-10-25 06:39:54

Answer 5

+3 A:

Since you’re programming C++, the correct solution is to ban C-style char* strings from your code where possible, and replace them by std::string (or another appropriate string type).

Do not use functions such as strcpy or strcpy_s or strncpy. Use the copy constructor or assignment operator of the string class. Or if you really need to copy buffers, use std::copy.

Konrad Rudolph 2010-10-25 06:34:13

Answer 6

+1 A:

There is actualy a way to avoid this warning, still use strcpy, and be safe:

You can enable the secure template overloads. They will (if possible) deduce the lengths of the buffers used by capturing them with templated overloads. It's a mystery to me why this is not enabled by default in Visual C++.

jdv 2010-10-25 06:37:57

ansaurus

tags:

views:

answers:

C++ 'strcpy' gives a Warning (C4996)

related questions