“*BSD folks” are no more erratic than GNU, Linux or Solaris folks. In fact, they tend to be much more conservative and emphasize clean design. After all, GNU and Linux are nothing but a glorified BSD clone. It’s easy to avoid mistakes by taking advantage of decade long experience. Not that this would be automatic. Actually the GNU and Linux folks repeated a lot mistakes they could have avoided by learning from BSD history.

Anyway, there are actually two versions of snprintf(). A newer POSIX variant and one that has been provided by Solaris as an extension long before. The latter returns the resulting – possibly truncated – string length. The same you get by using strlen() with the result. The POSIX variant returns the length of the string if the buffer had been sufficient. So on truncation you could use that value to allocate a sufficient buffer and then repeat the call with this buffer to get an untruncatened string.

Also note that “%*.s” takes an “int” and not size_t as parameter and also returns an int. So it is limited to strings of a maximum length of INT_MAX. Something many 32-bit developers tend to ignore but is a easily an exploitable vulnerability nowadays on 64-bit systems with many gibibytes of RAM.

Last but not least, the printf family is a rather high-level interface and has – considering the alternatives – a lot of overhead internally.

In my opinion, a professional seasoned C developer will rarely rely on these silly C library functions except in small, trivial pieces of code. Rather they’ll use – or even roll their own – string library that takes care of memory allocation, truncation prevention and optimizations. Also strlcpy(), strncpy() etc. usually have subtle semantics – which you know if you bother reading their specifications – that are not desirable in many contexts when you actually use them. Examples:

strncpy() pads the whole destination buffer with NULs but does not guarantee NUL-termination. strncat() DOES guarantee NUL-termination. The padding may seem stupid and an inefficient but it makes a lot of sense in the intented contexts. Nobody ever claimed these are general purpose functions. Hence, don’t be shy to roll your own functions which make more sense in your context. Of course, make sure you specify them cleanly including corner-cases and test them. In C strings are not something abstract which is both an advantage and disadvantage.

strlcpy() can’t accept non-terminated data as source string and will also traverse the whole source string even if only a tiny part is copied. The latters makes it in efficient and an the former even insecure in many contexts.

the printf familly of functions is everything but trivial. It is surely convienient, but the proposed abuse fall into the category of ‘when all you have a hammer, everythings is a nail’.

strncpy is usually enough

char buffer [MAX_SIZE + 1]
strncpy(buffer, input, MAX_SIZE)
buffer[MAX_SIZE = 0;

but more careful is
if((size = strnlen(input, max_size)) < max_size)
{
memcpy(buffer, input, size);
buffer[size] = 0;
}
else
{
/* error processing */
}

For info:
#include
#include
#include

int main(int argc, char**argv)
{
char* source = argv[1];
char buffer[200];
int i;
int size;

if(argc > 2 && *argv[2] == ’s’)
{
for(i = 0; i < 100000000; i++)
{
snprintf(buffer, sizeof(buffer), “%s”, source);
source[10] |= i;
}
}
else if(source)
{
for(i = 0; i < 100000000; i++)
{
if((size = strnlen(source, 15)) < 15)
{
memcpy(buffer, source, size);
buffer[size] = 0;
source[10] |= i;
}
}
}
return 0;
}

$ time ./a.out “foo”

real 0m2.214s
user 0m2.210s
sys 0m0.000s
$ time ./a.out “foo” “s”

real 0m12.675s
user 0m12.593s
sys 0m0.000s

the printf version is 6 times!!! more expensive.

If that kind of performance waste is irrelevant to your program (and it could very well be), maybe you should not write it in C….

There is already better, standard, safe function serving the purpose perfectly – snprintf().

Tnstead of strcpy(a,b) – snprintf(a,sizeof(a),”%s”,b). Added bonus – snprintf( a, sizeof(a), “%.*s”, len_of_b, b ) – becomes critical when handling intermediate non-0 terminate strings.

Trivial snprintf() does miracles when you code safe string operations. For those in know – it does that for like ages now.

while(NULL != *src)

is incorrect because NULL is a special pointer value indicating the pointer has no value. You are comparing a pointer type with a char type – although it will often compile correctly if NULL is defined as 0. It won’t compile if NULL is defined as (void *)0). You mean to use ” (often hash defined as nul) and is the character which terminates a C string.