On Wed, Nov 21, 2001 at 12:47:49AM -0600, Bryan Andersen wrote: > On thing I think is quite important is to get rid of calls to > routines that it is possible to buffer overflow. OpenBSD has a > "feature" in their version of gcc that will cause a compile time > error message telling you when one of the standard library > routines known to be overflowable is used.
I hope strcpy() does not belong to this class. It's quite common to do something like this: int len = strlen(s); char *new = (char *) malloc(len + 1); strcpy(new, s); This is perfectly fine. strncpy() is even more dangerous, since it doesn't add a final nul-byte if strlen(src) > n. Most people are not aware of this problem. So, most of the time you use strncpy() you should use a construction like this: strncpy(dst, src, len); dst[len] = '\0'; - Sebastian
