On 10/07/2021 22:36, Alejandro Colomar (man-pages) wrote: > On 7/10/21 10:49 PM, Jonny Grant wrote: >> On 10/07/2021 19:37, Alejandro Colomar (man-pages) wrote: >>> diff --git a/man3/wcslen.3 b/man3/wcslen.3 >>> index af3fcb9ca..868f748a8 100644 >>> --- a/man3/wcslen.3 >>> +++ b/man3/wcslen.3 >>> @@ -58,5 +58,12 @@ T} Thread safety MT-Safe >>> .sp 1 >>> .SH CONFORMING TO >>> POSIX.1-2001, POSIX.1-2008, C99. >>> +.SH NOTES >>> +.SS wcsnlen(3) >>> +If there is a known buffer size, >>> +it is probably better to use >>> +.BR wcsnlen (3), >>> +which can prevent some cases of buffer overrun/overflow. >>> .SH SEE ALSO >>> -.BR strlen (3) >>> +.BR strlen (3), >>> +.BR wcsnlen (3) >>> >> >> Hi Alex >> >> Thank you for making the updates! >> >> As "buffer overrun" refers to writing to a buffer, my 2 cents would be to express as: >> >> "which will prevent reading beyond the end of the character buffer" > > I wrote both overrun and overflow on purpose. > I was thinking of something like: > > const char *src; > char dest[5]; > > src = "This is a very ... long valid string"; > len = strnlen(src, 5 - 1); > /* strlen(s) wouldn't overrun, but the next call would overflow */ > memcpy(dest, src, len); > dest[len] = '\0'; Sounds like any overflow would be due to the application code, rather than strnlen. > > But after thinking about it a second time, I think I'll remove it, and keep only overrun (and I like your text, I'll copy part of it), as the overflow is a problem of considering that the size of the buffers is going to be the same, and the solution is not to use strnlen(3), but to differentiate both sizes, which allows to detect truncation. > > If the input string is known but the output buffer is small, I'd call strlen(str) and then MIN(len, bufsiz) (this is kind of equivalent to what strlcpy(3bsd) does). > And if the input string is untrusted, I'd call strnlen(str, strsiz) and MIN(len, bufsiz) (this is kind of what strncpy_s(3) does). > > strlcpy is considered harmful, best avoid it. It breaks ISO TR24731 "Do not unexpectedly truncate strings" by silently overwriting memory before checking there was enough space to copy all the bytes. > >> >> Any thoughts about adding the following? >> >> NOTES >> Calling strlen with a NULL pointer is undefined behavior. > > > I'm waiting for Michael and/or Florian to comment on my proposal. > > I don't want to fix a page and have 296 broken... I want to fix them all at once, but am not sure which solution to apply. > > But yes, adding a line like that one is likely. > > Thanks! > > Alex Ok, no immediate rush. Jonny
