Why strcpy and strncpy are not safe to use?

strcpy() function

The strcpy() function is used to copy the source string to destination string. If the buffer size of dest string is more then src string, then copy the src string to dest string with terminating NULL character. But if dest buffer is less, then src then it will copy the content without terminating NULL character. The strings may not overlap, and the destination string must be large enough to receive the copy.

Syntax:

char *strcpy( char *dest, const char *src )

Parameters: This function accepts two parameters as mentioned above and described below:

  • src: The string which will be copied.
  • dest: Pointer to the destination array where the content is to be copied.

Return Value: It returns a pointer to the destination string.

filter_none

edit
close

play_arrow

link
brightness_4
code

// C Program  to illustrate the 
// strcpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
  
    // Here destination is large enough
    // to store the src with Null 
    // character at the end
    char dest[14];
  
    // copying src into dest.
    strcpy(dest, src);
    printf("Copied string: %s\n", dest);
      
    return 0;
}

chevron_right


Output:

Copied string: geeksforgeeks

Problem with strcpy(): The strcpy() function does not specify the size of the destination array, so buffer overrun is often a risk. Using strcpy() function to copy a large character array into smaller one is dangerous, but if the string will fit, then it will not worth the risk. If destination string is not large enough to store the source string then the behavior of strcpy() is unspecified or undefined.

filter_none

edit
close

play_arrow

link
brightness_4
code

// C Program  to illustrate the problem in 
// strcpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
  
    // Here destination is not large
    // enough to store the src. so the
    // behaviour of strcpy is unspecified.
    // program may crashed, but its
    // printing geeksforgeeks
    char dest[2];
      
    // copying src into dest.
    strcpy(dest, src);
    printf("Copied string: %s\n", dest);
      
    return 0;
}

chevron_right


Output:

Copied string: geeksforgeeks

strncpy() function

The strncpy() function is similar to strcpy() function, except that at most n bytes of src are copied. If there is no NULL character among the first n character of src, the string placed in dest will not be NULL-terminated. If the length of src is less than n, strncpy() writes additional NULL character to dest to ensure that a total of n character are written.

Syntax:

char *strncpy( char *dest, const char *src, size_t n )

Parameters: This function accepts two parameters as mentioned above and described below:

  • src: The string which will be copied.
  • dest: Pointer to the destination array where the content is to be copied.
  • n: The first n character copied from src to dest.

Return Value: It returns a pointer to the destination string.

Example:

filter_none

edit
close

play_arrow

link
brightness_4
code

// C Program  to illustrate the 
// strcpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
      
    // The destination string size is 14.
    char dest[14];
      
    // copying n bytes of src into dest.
    strncpy(dest, src, 14);
    printf("Copied string: %s\n", dest);
      
    return 0;
}

chevron_right


Output:

Copied string: geeksforgeeks

Problem with strncpy(): If there is no null character among the first n character of src, the string placed in dest will not be null-terminated. So strncpy() does not guarantee that the destination string will be NULL terminated. The strlen() non-terminated string can cause segfault. In other words, non-terminated string in C/C++ is a time-bomb just waiting to destroy code.

filter_none

edit
close

play_arrow

link
brightness_4
code

// C Program  to illustrate the problem in 
// strcpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
      
    // The destination sting size is 8
    // which is less than length of src.
    char dest[8];
      
    // copying 8 bytes of src into dest.
    // dest is not NULL terminated.
    strncpy(dest, src, 8);
      
    // using strlen function on non terminated.
    // string which can cause segfault.
    int len = strlen(dest);
      
    printf("Copied string: %s\n", dest);
    printf("Length of destination string: %d\n", len);
      
    return 0;
}

chevron_right


Output:

Copied string: geeksfor
Length of destination string: 8

Now, the next question is, any function which guarantees that destination string will be NULL terminated and no chance of buffer overrun?

So, the answer of above question is “YES”, there are several function in “stdio.h” library which guarantee the above condition will be satisfied.

Both functions guarantee that the destination string will be NULL terminated.Similarly, snprintf() function, strlcpy function copied at most dest_size-1 characters (dest_size is the size of the destination string buffer) from src to dst, truncating src if necessary. The result is always null-terminated. The function returns strlen(src). Buffer overflow can be checked as follows:

 if (strlcpy(dst, src, dstsize) >= dest_size)
         return -1;

Ranking the functions according to level of sanity:

strcpy < strncpy < snprintf < strlcpy


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


2


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.