Secure versions of strcpy and strncpy

Source: Internet
Author: User

Char * src = new char [10];

Memset (SRC, 1, 10 );

Char * DEST = new char [20];

Strcpy (DEST, Src );

In this example, we cannot easily find a bug in the strcpy statement. Because SRC does not have a break.

Currently, the company uses codescan to find strcpy and use strncpy instead. But in fact, this method is not safe. Strcpy is uneasy because of the bug of the interface itself. strncpy can avoid strcpy's defects to some extent. However, strncpy is not secure. Because the number of bytes of the target pointer may be insufficient to store the content pointed to by the source pointer.

For example:

Char * src = "Hello world! ";

Char * DEST = new char [10];

Strncpy (DEST, SRC, strlen (SRC); // there is a bug

Currently, for strcpy and strncpy, the corresponding security version has been released since vs2005:

The interface definition is changed as follows:

Char * strcpy (char * DEST, const char * SRC) --> errno_t strcpy_s (char * DEST,
Size_t numelems, const char * SRC)

Char * strcpy (char * DEST, const char * SRC, size_t count) --> errno_t
Strcpy_s (char * DEST, size_t numelems, const char * SRC, size_t count)

The latter is safer than the former because they added a numelems parameter to the interface to indicate the number of bytes in the dest, preventing the bug caused by insufficient space in the target pointer DEST, and changing the return value to a return error.CodeInstead of returning char * for some convenience *. In this way, the interface definition is much safer than the original one.

So we should change strcpy to strncpy_s. This makes it safer.


Interface Definition is often very important. But there are also some corresponding specifications. For example:

1) in the interface, if the target pointer to be modified appears, you need to increase the number of bytes that can be stored.

2) the interface generally returns int (errno_t is actually INT), which can mark the returned error type. (Note: In an abnormal environment, it is not returned. In some special cases, the desired type is directly returned .)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.