Why hasn't the software community hasn't more widely accepted the use of
strlcpy and strlcat? While these functions aren't included with all
platforms, the source is pretty simple to include in one's application.
The benefits are obvious: strlcpy truncates the copied string if
necessary based on the size provided, and insures that it is always NUL
terminated. The strlcat function acts the same way as strncat, only the
size being sent to the function is the maximum length of the string,
rather than the maximum number of characters to copy. It also NUL
terminates on truncation.

-----Original Message-----
From: Tim J. Robbins [mailto:timrobbins.dropbear.id.au]
Sent: Sunday, December 30, 2001 9:06 PM
To: bugtraqsecurityfocus.com
Subject: Re: gzip bug w/ patch..

On Sun, Dec 30, 2001 at 02:26:10PM -0000, greg wrote:

> well anyway, there is an attached patch, bye.

> - strcpy(nbuf,dir);
> + strncpy(nbuf, dir, sizeof(nbuf) - 1);

You must ensure the trailing NUL character is at the end of the
string:
  nbuf[sizeof(nbuf) - 1] = '\0';

Tim

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]