Comments on: Unsafe Functions In C And Their Safer Replacements: Strings Part II http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html Making Your Code Faster, Stronger, Safer… Thu, 18 Feb 2010 05:11:26 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: mcoon http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-249 mcoon Tue, 03 Mar 2009 17:09:58 +0000 http://www.safercode.com/blog/?p=25#comment-249 See the C++ STL string template object. #include ; #include ; using namespace std; int main(int argc, char *argv[]){ string s("This is a basic string."); cout << s << endl; } See the C++ STL string template object.

#include ;
#include ;

using namespace std;

int main(int argc, char *argv[]){
string s(“This is a basic string.”);
cout << s << endl;
}

]]> By: bug1 http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-247 bug1 Tue, 03 Mar 2009 13:04:45 +0000 http://www.safercode.com/blog/?p=25#comment-247 Programmers should use dmalloc (or another memory checker, maybe valgrind) to check against memory leaks and fencepost problems (exceeding the end of allocated memory), that should highlight most cases of "unsafe" string use (not format attacks). Introducing functions that allow programmers to remain ignorant of how their code works might be convenient in the short term, but in the long term the best way to write safe code is understand the language. C's strength is that its low level, its not one of these dumbed down flash in the pan convenience languages. Programmers should use dmalloc (or another memory checker, maybe valgrind) to check against memory leaks and fencepost problems (exceeding the end of allocated memory), that should highlight most cases of “unsafe” string use (not format attacks).

Introducing functions that allow programmers to remain ignorant of how their code works might be convenient in the short term, but in the long term the best way to write safe code is understand the language.

C’s strength is that its low level, its not one of these dumbed down flash in the pan convenience languages.

]]> By: DoctorPepper http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-246 DoctorPepper Tue, 03 Mar 2009 11:22:09 +0000 http://www.safercode.com/blog/?p=25#comment-246 Never mind, I answered my own question. The strlcpy and strlcat functions are supposed to be safer versions of strncpy and strncat as well as strcpy and strcat. Man, don't you hate it when you reply too early in the morning? Never mind, I answered my own question. The strlcpy and strlcat functions are supposed to be safer versions of strncpy and strncat as well as strcpy and strcat.

Man, don’t you hate it when you reply too early in the morning?

]]> By: Dummy00001 http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-245 Dummy00001 Tue, 03 Mar 2009 10:31:40 +0000 http://www.safercode.com/blog/?p=25#comment-245 > Solaris and BSD accepted these functions while GNU/Linux refuses to do so till date. Little of Googling never hurts. And definitely might have helped to resolve your confusion and avoid silly remark. GNU refused the function for two very simple reasons: (1) there is no stable interfaces/not a POSIX and (2) redundant. As was pointed many many times, strlcpy() is 100% redundant, as the same effect can be achieved by snprintf(dest,dest_capacity,"%s",src). What's more, snprintf() has very important extra bonus: snprintf(dest,dest_capacity,"%.*s",src_len,src) which allows to work also on non-zero terminated input. > Solaris and BSD accepted these functions while GNU/Linux refuses to do so till date.

Little of Googling never hurts. And definitely might have helped to resolve your confusion and avoid silly remark. GNU refused the function for two very simple reasons: (1) there is no stable interfaces/not a POSIX and (2) redundant.

As was pointed many many times, strlcpy() is 100% redundant, as the same effect can be achieved by snprintf(dest,dest_capacity,”%s”,src).

What’s more, snprintf() has very important extra bonus: snprintf(dest,dest_capacity,”%.*s”,src_len,src) which allows to work also on non-zero terminated input.

]]> By: Maglama http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-244 Maglama Tue, 03 Mar 2009 10:28:57 +0000 http://www.safercode.com/blog/?p=25#comment-244 * EDIT that's supposed to read "We could move the historical functions to an {less-than}unsafe_c.h{greater-than} but the blog stripped it as HTML-like * EDIT that’s supposed to read “We could move the historical functions to an {less-than}unsafe_c.h{greater-than} but the blog stripped it as HTML-like

]]> By: Maglama http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-243 Maglama Tue, 03 Mar 2009 10:27:46 +0000 http://www.safercode.com/blog/?p=25#comment-243 Why don't we just fully depreciate the unsafe functions? Seriously. We could move the historical functions to an , allowing old code to be trivially recompiled if we REALLY don't want to fix it. Everyone else can use heap storage calculated to fit. Why don’t we just fully depreciate the unsafe functions? Seriously.

We could move the historical functions to an , allowing old code to be trivially recompiled if we REALLY don’t want to fix it. Everyone else can use heap storage calculated to fit.

]]> By: DoctorPepper http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-242 DoctorPepper Tue, 03 Mar 2009 10:20:02 +0000 http://www.safercode.com/blog/?p=25#comment-242 What about the strncpy and strncat functions that have been in gcc for quite some time now? They have similar function declarations to the strlcpy and strlcat functions you specified: char *strncpy(char *dest, const char *src, size_t n); char *strncat(char *dest, const char *src, size_t n); Granted, they don't return the number of bytes copied in a size_t, but they will only copy 'n' number of bytes. What about the strncpy and strncat functions that have been in gcc for quite some time now? They have similar function declarations to the strlcpy and strlcat functions you specified:

char *strncpy(char *dest, const char *src, size_t n);
char *strncat(char *dest, const char *src, size_t n);

Granted, they don’t return the number of bytes copied in a size_t, but they will only copy ‘n’ number of bytes.

]]> By: CdeMills http://www.safercode.com/blog/2008/12/02/unsafe-functions-in-c-and-their-safer-replacements-strings-part-ii.html#comment-241 CdeMills Tue, 03 Mar 2009 09:47:29 +0000 http://www.safercode.com/blog/?p=25#comment-241 I agree with the criticisms. To me, a 'string' should really be something opaque instead of a vector of chars. Strings have properties : they can contains standard ASCII characters or use some encoding or be in wide, multi-bytes characters; their storage can be static, local or resulting from a 'malloc' call; and so on. Each item introduces specific issues and pitfalls. Your approach is targeted some issues, based on a few assumptions. If the basic assumptions are not satisfied, behaviour is unspecified. I agree with the criticisms. To me, a ’string’ should really be something opaque instead of a vector of chars. Strings have properties : they can contains standard ASCII characters or use some encoding or be in wide, multi-bytes characters; their storage can be static, local or resulting from a ‘malloc’ call; and so on. Each item introduces specific issues and pitfalls. Your approach is targeted some issues, based on a few assumptions. If the basic assumptions are not satisfied, behaviour is unspecified.

]]>