# Tuesday, April 27, 2004

So, read any good buffer-overrun articles lately? Notice how they like to show the hapless programmer cheerfully using strcpy() to copy 11 characters (or 11,000 maybe) starting at the location where only 10 characters worth of space was allocated? Or maybe it's strcat that, merrily continuing till it finds that null terminator in the source string, goes way past its boundaries. Did you ever think to yourself as you read these examples, “Why can't strcpy, strcat, and the rest of them save stupid programmers from themselves?” (It's ourselves, really, but we all suffer from a little denial that we could ever write that sort of code.)

That's an idea, let's replace the naive and trusting version of strcpy, that assumes no-one ever gives it inappropriate arguments, with another version that doesn't always do as it's asked! Why not? I'll tell you why not: this is C++. And if C++ had a motto, it would be “you're the programmer!” or as I sometimes say, “OK, it's your foot!” Seriously, changing the way strcpy behaves might break code that isn't broken or insecure right now. In C++, we're allowed to write code that some compilers wouldn't let us write.

And if you were going to rewrite things, you might like to change the signature anyway, so that you could return an error code or other information. That means what you really need is a replacement for strcpy (and the rest) that's a little safer. And maybe to have the compiler warn you on your calls to strcpy so you can go through by hand and switch to these safer ones case-by-case.

That sounds like a plan. And I don't even have to do it. It's coming in the updated versions of the C Runtime Library for Whid-- er, Visual Studio 2005. And while they're at it, they're adding some overrun protection to the STL in the same timeframe. Intrigued? Read the whitepaper on MSDN. Michael Howard, coauthor of  Writing Secure Code,  lays out some of the problems and how the secure versions of old CRT standbys can keep your code out of hot water.

Tuesday, April 27, 2004 10:20:37 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [4]
Wednesday, April 28, 2004 5:59:22 PM (Eastern Daylight Time, UTC-04:00)
Kate,

Some would argue that you should use strncpy and strncat (which also require a size to be provided) to help limit the issues you refer to at the start of your blog.

Just my $0.02

Bret
Bret
Wednesday, April 28, 2004 6:39:56 PM (Eastern Daylight Time, UTC-04:00)
Hi Kate!

It seems like we were thinking alike...again-)

See above link
Wednesday, April 28, 2004 8:25:15 PM (Eastern Daylight Time, UTC-04:00)
As Micheal points out in the whitepaper, strncpy and strncat may be *safer* than strcpy and strcat, but they're not *safe*. The rewrite includes replacements for them, too. He has some scary examples of code that looks OK at first glance, but most definitely isn't.

Kate
Kate Gregory
Wednesday, March 01, 2006 7:05:57 AM (Eastern Standard Time, UTC-05:00)
I've long since considered strcpy et al to be optimisations. For the majority of code I use the STL basic_string classes' functions to manipulate strings, and keep strcpy for something that really has to be fast and hence really has to have less runtime checking (which doesn't actually happen very often, premature optimisation and all that...).
Comments are closed.