-
Nu
chevron_right
strcpy: a niche function you don't need
pubsub.kikeriki.at / null_program · Friday, 30 July, 2021 - 19:37 · 32 minutes
<p>The C <a href="https://man7.org/linux/man-pages/man3/strcpy.3.html"><code class="language-plaintext highlighter-rouge">strcpy</code></a> function is a common sight in typical C programs.
It’s also a source of buffer overflow defects, so linters and code
reviewers commonly recommend alternatives such as <a href="https://man7.org/linux/man-pages/man3/strncpy.3.html"><code class="language-plaintext highlighter-rouge">strncpy</code></a>
(difficult to use correctly; mismatched semantics), <a href="https://man.openbsd.org/strlcpy.3"><code class="language-plaintext highlighter-rouge">strlcpy</code></a>
(non-standard), or C11’s optional <code class="language-plaintext highlighter-rouge">strcpy_s</code> (<a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm">no correct or practical
implementations</a>). Besides their individual shortcomings, these
answers are incorrect. <code class="language-plaintext highlighter-rouge">strcpy</code> and friends are, at best, incredibly
niche, and the correct replacement is <code class="language-plaintext highlighter-rouge">memcpy</code>.</p>
<p>If <code class="language-plaintext highlighter-rouge">strcpy</code> is not easily replaced with <code class="language-plaintext highlighter-rouge">memcpy</code> then the code is
fundamentally wrong. Either it’s not using <code class="language-plaintext highlighter-rouge">strcpy</code> correctly or it’s
doing something dumb and should be rewritten. Highlighting such problems
is part of what makes <code class="language-plaintext highlighter-rouge">memcpy</code> such an effective replacement.</p>
<p>Note: Everything here applies just as much to <a href="https://man7.org/linux/man-pages/man3/strcat.3.html"><code class="language-plaintext highlighter-rouge">strcat</code></a> and
friends.</p>
<p>Clarification update: This article is about correctness (objective), not
safety (subjective). If the word “safety” comes to mind then you’ve missed
the point.</p>
<h3 id="common-cases">Common cases</h3>
<p>Buffer overflows arise when the destination is smaller than the source.
Safe use of <code class="language-plaintext highlighter-rouge">strcpy</code> requires <em>a priori</em> knowledge of the length of the
source string length. Usually this knowledge is the exact source string
length. If so, <code class="language-plaintext highlighter-rouge">memcpy</code> is not only a trivial substitute, it’s faster
since it will not simultaneously search for a null terminator.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">char</span> <span class="o">*</span><span class="nf">my_strdup</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">s</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">size_t</span> <span class="n">len</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">len</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="p">{</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">s</span><span class="p">);</span> <span class="c1">// BAD</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">c</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">char</span> <span class="o">*</span><span class="nf">my_strdup_v2</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">s</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">size_t</span> <span class="n">len</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">c</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">len</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="p">{</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span> <span class="c1">// GOOD</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">c</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>A more benign case is a static source string, i.e. trusted input.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="n">err</span> <span class="p">{</span>
<span class="kt">char</span> <span class="n">message</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span>
<span class="p">};</span>
<span class="kt">void</span> <span class="nf">set_oom</span><span class="p">(</span><span class="k">struct</span> <span class="n">err</span> <span class="o">*</span><span class="n">err</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">err</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="s">"out of memory"</span><span class="p">);</span> <span class="c1">// BAD</span>
<span class="p">}</span>
</code></pre></div></div>
<p>The size is a compile time constant, so exploit it as such! Even more, a
static assertion (C11) can catch mistakes at compile time rather than run
time.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">set_oom_v2</span><span class="p">(</span><span class="k">struct</span> <span class="n">err</span> <span class="o">*</span><span class="n">err</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">static</span> <span class="k">const</span> <span class="kt">char</span> <span class="n">oom</span><span class="p">[]</span> <span class="o">=</span> <span class="s">"out of memory"</span><span class="p">;</span>
<span class="n">static_assert</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">err</span><span class="o">-></span><span class="n">message</span><span class="p">)</span> <span class="o">>=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">oom</span><span class="p">));</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">err</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="n">oom</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">oom</span><span class="p">));</span>
<span class="p">}</span>
<span class="c1">// Or using a macro:</span>
<span class="kt">void</span> <span class="nf">set_oom_v3</span><span class="p">(</span><span class="k">struct</span> <span class="n">err</span> <span class="o">*</span><span class="n">err</span><span class="p">)</span>
<span class="p">{</span>
<span class="cp">#define OOM "out of memory"
</span> <span class="n">static_assert</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">err</span><span class="o">-></span><span class="n">message</span><span class="p">)</span> <span class="o">>=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">OOM</span><span class="p">));</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">err</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="n">OOM</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">OOM</span><span class="p">));</span>
<span class="p">}</span>
<span class="c1">// Or assignment (implicit memcpy):</span>
<span class="kt">void</span> <span class="nf">set_oom_v4</span><span class="p">(</span><span class="k">struct</span> <span class="n">err</span> <span class="o">*</span><span class="n">err</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">static</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">err</span> <span class="n">oom</span> <span class="o">=</span> <span class="p">{</span><span class="s">"out of memory"</span><span class="p">};</span>
<span class="o">*</span><span class="n">err</span> <span class="o">=</span> <span class="n">oom</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>This covers the vast majority of cases of already-correct <code class="language-plaintext highlighter-rouge">strcpy</code>.</p>
<h3 id="less-common-cases">Less common cases</h3>
<p><code class="language-plaintext highlighter-rouge">strcpy</code> can still be correct without knowing the exact source string
length. It is enough to know its <em>upper bound</em> does not exceed the
destination length. In this example — assuming the input is guaranteed to
be null-terminated — this <code class="language-plaintext highlighter-rouge">strcpy</code> is correct without ever knowing the
source string length:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="n">reply</span> <span class="p">{</span>
<span class="kt">char</span> <span class="n">message</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="p">;</span>
<span class="p">};</span>
<span class="k">struct</span> <span class="n">log</span> <span class="p">{</span>
<span class="kt">time_t</span> <span class="n">timestamp</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">message</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span>
<span class="p">};</span>
<span class="kt">void</span> <span class="nf">log_reply</span><span class="p">(</span><span class="k">struct</span> <span class="n">log</span> <span class="o">*</span><span class="n">e</span><span class="p">,</span> <span class="k">const</span> <span class="k">struct</span> <span class="n">reply</span> <span class="o">*</span><span class="n">r</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">e</span><span class="o">-></span><span class="n">timestamp</span> <span class="o">=</span> <span class="n">time</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="n">r</span><span class="o">-></span><span class="n">message</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<p>This is a rare case where <code class="language-plaintext highlighter-rouge">strncpy</code> has the right semantics. It zeros out
unused destination bytes, destroying any previous contents.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">strncpy</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="n">r</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">));</span>
<span class="c1">// In this case, same as:</span>
<span class="n">memset</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">));</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="n">r</span><span class="o">-></span><span class="n">message</span><span class="p">);</span>
</code></pre></div></div>
<p>It’s not a general <code class="language-plaintext highlighter-rouge">strcpy</code> replacement because <code class="language-plaintext highlighter-rouge">strncpy</code> might not write
a null terminator. If the source string does not null-terminate within the
destination length, then neither will destination string.</p>
<p>As before, we can do better with <code class="language-plaintext highlighter-rouge">memcpy</code>!</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">static_assert</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">)</span> <span class="o">>=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">r</span><span class="o">-></span><span class="n">message</span><span class="p">));</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">e</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="n">r</span><span class="o">-></span><span class="n">message</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">r</span><span class="o">-></span><span class="n">message</span><span class="p">));</span>
</code></pre></div></div>
<p>This unconditionally copies 32 bytes. But doesn’t it waste time copying
bytes it won’t need? No! On modern hardware it’s far better to copy a
large, fixed number of bytes than a small, variable number of bytes. After
all, <a href="/blog/2017/10/06/">branching is expensive</a>. Searching for and handling that null
terminator has a cost. This fixed-size copy is literally two instructions
on x86-64 (output of <code class="language-plaintext highlighter-rouge">clang -march=x86-64-v3 -O3</code>):</p>
<div class="language-nasm highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nf">vmovups</span> <span class="nv">ymm0</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsi</span><span class="p">]</span>
<span class="nf">vmovups</span> <span class="p">[</span><span class="nb">rdi</span> <span class="o">+</span> <span class="mi">8</span><span class="p">],</span> <span class="nv">ymm0</span>
</code></pre></div></div>
<p>It’s faster and there’s no <code class="language-plaintext highlighter-rouge">strcpy</code> to attract complaints.</p>
<h3 id="niche-cases">Niche cases</h3>
<p>So where <em>is</em> <code class="language-plaintext highlighter-rouge">strcpy</code> useful? Only where all of the following apply:</p>
<ol>
<li>
<p>You only know the upper bound of the source string.</p>
</li>
<li>
<p>It’s undesirable to read beyond that length. Maybe storage is limited
to the exact length of the string, or the upper bound is very large so
an unconditional copy is too expensive.</p>
</li>
<li>
<p>The source string is so long, and the function so hot, that it’s worth
avoiding two passes: <code class="language-plaintext highlighter-rouge">strlen</code> followed by <code class="language-plaintext highlighter-rouge">memcpy</code>.</p>
</li>
</ol>
<p>These circumstances are very unusual which makes <code class="language-plaintext highlighter-rouge">strcpy</code> a niche function
you probably don’t need. This is the best case I can imagine, and it’s
pretty dumb:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="n">doc</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">id</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">body</span><span class="p">[</span><span class="mi">1L</span><span class="o"><<</span><span class="mi">20</span><span class="p">];</span>
<span class="p">};</span>
<span class="c1">// Create a new document from a buffer.</span>
<span class="c1">//</span>
<span class="c1">// If body is more than 1MiB, the behavior is undefined.</span>
<span class="k">struct</span> <span class="n">doc</span> <span class="o">*</span><span class="nf">doc_create</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">body</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">struct</span> <span class="n">doc</span> <span class="o">*</span><span class="n">c</span> <span class="o">=</span> <span class="n">calloc</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="o">*</span><span class="n">c</span><span class="p">));</span>
<span class="k">if</span> <span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="p">{</span>
<span class="n">c</span><span class="o">-></span><span class="n">id</span> <span class="o">=</span> <span class="n">id_gen</span><span class="p">();</span>
<span class="n">assert</span><span class="p">(</span><span class="n">strlen</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="o"><</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">c</span><span class="o">-></span><span class="n">body</span><span class="p">));</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">c</span><span class="o">-></span><span class="n">body</span><span class="p">,</span> <span class="n">body</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">c</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>If you’re dealing with such large null-terminated strings that (2) and (3)
apply then you’re already doing something fundamentally wrong and
self-contradictory. The pointer and length should be <a href="/blog/2019/06/30/">kept and passed
together</a>. It’s especially essential for a hot function.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="n">doc_v2</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="n">id</span><span class="p">;</span>
<span class="kt">size_t</span> <span class="n">len</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">body</span><span class="p">[];</span>
<span class="p">};</span>
</code></pre></div></div>
<h3 id="bonus-_s-isnt-helping-you">Bonus: <code class="language-plaintext highlighter-rouge">*_s</code> isn’t helping you</h3>
<p>C11 introduced “safe” string functions as an optional “Annex K”, each
named with a <code class="language-plaintext highlighter-rouge">_s</code> suffix to its “unsafe” counterpart. Here is the
prototype for <code class="language-plaintext highlighter-rouge">strcpy_s</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">errno_t</span> <span class="nf">strcpy_s</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="kr">restrict</span> <span class="n">s1</span><span class="p">,</span>
<span class="n">rsize_t</span> <span class="n">s1max</span><span class="p">,</span>
<span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="kr">restrict</span> <span class="n">s2</span><span class="p">);</span>
</code></pre></div></div>
<p>The <code class="language-plaintext highlighter-rouge">rsize_t</code> is a <code class="language-plaintext highlighter-rouge">size_t</code> with a “restricted” range (<code class="language-plaintext highlighter-rouge">RSIZE_MAX</code>,
probably <code class="language-plaintext highlighter-rouge">SIZE_MAX/2</code>) intended to catch integer underflows. If you
<a href="/blog/2017/07/19/">accidentally compute a negative length</a>, it will be a very large
number in unsigned form. (An indicator that <code class="language-plaintext highlighter-rouge">size_t</code> should have
originally been defined as signed.) This will be outside the restricted
range, and so the operation isn’t attempted due to a likely underflow.</p>
<p>These “safe” functions were modeled after functions of the same name in
MSVC. However, as noted, there are no practical implementations of Annex
K. The functions in MSVC have different semantics and behavior, and they
do not attempt to implement the standard.</p>
<p>Worse, they don’t even do what’s promised in <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-s-wcscpy-s-mbscpy-s?view=msvc-160">their documentation</a>.
The following program should cause a runtime-constraint violation since
<code class="language-plaintext highlighter-rouge">-1</code> is an invalid <code class="language-plaintext highlighter-rouge">rsize_t</code> in any reasonable implementation:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define __STDC_WANT_LIB_EXT1__ 1
#include <stdio.h>
#include <string.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span>
<span class="n">errno_t</span> <span class="n">r</span> <span class="o">=</span> <span class="n">strcpy_s</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="s">"hello"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%d %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">r</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<p>With the latest MSVC as of this writing (VS 2019), this program prints “<code class="language-plaintext highlighter-rouge">0
hello</code>”. Using <code class="language-plaintext highlighter-rouge">strcpy_s</code> did not make my program any safer than had I
just used <code class="language-plaintext highlighter-rouge">strcpy</code>. If anything, it’s <em>less safe</em> due to a false sense of
security. Don’t use these functions.</p>
