Re: strncpy (was: Re: New Microsoft Security Tool for developers)

[Florian Weimer <fw () deneb enyo de>]

David A. Wheeler wrote:

> This "excess nul'ing" is extremely perverse behavior... but it's true.
> This is clearly stated in Kernighan and Ritchie second edition
> [Kernighan 1988, page 249], and this behavior is clearly documented in
> the man pages for Linux, FreeBSD, and Solaris.  I don't have the formal
> standards handy but I believe they say the same.

Of course, it's in the standard:

| 7.21.2.4 The strncpy function
| Synopsis
|        #include <string.h>
|        char *strncpy(char * restrict s1,
|                const char * restrict s2,
|                size_t n);
| Description
| The strncpy function copies not more than n characters (characters
| that follow a null character are not copied) from the array pointed to
| by s2 to the array pointed to by s1.  If copying takes place between
| objects that overlap, the behavior is undefined.
| 
| If the array pointed to by s2 is a string that is shorter than n
| characters, null characters are appended to the copy in the array
| pointed to by s1, until n characters in all have been written.
|
| [...]


> (The fact that few have the formal standards handy, but every user of
> C has K&R handy, is probably a good argument that K&R is the "real"
> standard anyway... but I digress...).

No one should write C programs after reading significant parts of the
standard.  Otherwise, it's not unlikely that the code doesn't do what
the programmer intends, and works on a single platform, with a specific
compiler version only.  For example, the standard permits a lot of
optimization by specifying undefined behavior, but very few
implementations make use of this potential.  As a result, new compiler
versions often break existing code.  In theory, this can have security
implications, see:

  <http://cert.uni-stuttgart.de/advisories/c-integer-overflow.php>