Open In App

Why strcpy and strncpy are not safe to use?

Improve
Improve
Like Article
Like
Save
Share
Report

strcpy() function

The strcpy() function is used to copy the source string to destination string. If the buffer size of dest string is more than src string, then copy the src string to dest string with terminating NULL character. But if dest buffer is less than src then it will copy the content without terminating NULL character. The strings may not overlap, and the destination string must be large enough to receive the copy. 

Syntax:

char *strcpy( char *dest, const char *src )

Parameters: This function accepts two parameters as mentioned above and described below:

  • src: The string which will be copied.
  • dest: Pointer to the destination array where the content is to be copied.

Return Value: It returns a pointer to the destination string. 

C++




// C++ Program to illustrate the
// strcpy() function in C/C++
 
#include <iostream>
#include <cstring>
using namespace std;
 
int main()
{
    char src[] = "geeksforgeeks";
 
    // Here destination is large enough
    // to store the src with Null
    // character at the end
    char dest[14];
 
    // copying src into dest.
    strcpy(dest, src);
    cout << "Copied string: " << dest << endl;
     
    return 0;
}
 
// This code is contributed by sarajadhav12052009


C




// C Program to illustrate the
// strcpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
 
    // Here destination is large enough
    // to store the src with Null
    // character at the end
    char dest[14];
 
    // copying src into dest.
    strcpy(dest, src);
    printf("Copied string: %s\n", dest);
     
    return 0;
}


Output:

Copied string: geeksforgeeks

Time Complexity: O(n)
Auxiliary Space: O(1)

Problem with strcpy(): The strcpy() function does not specify the size of the destination array, so buffer overrun is often a risk. Using strcpy() function to copy a large character array into a smaller one is dangerous, but if the string will fit, then it will not be worth the risk. If the destination string is not large enough to store the source string then the behavior of strcpy() is unspecified or undefined. 

C++




// C++ Program to illustrate the problem in
// strcpy() function in C/C++
 
#include <iostream>
#include <cstring>
using namespace std;
 
int main()
{
    char src[] = "geeksforgeeks";
 
    // Here destination is not large
    // enough to store the src. so the
    // behaviour of strcpy is unspecified.
    // program may crashed, but its
    // printing geeksforgeeks
    char dest[2];
     
    // copying src into dest.
    strcpy(dest, src);
    cout << "Copied string: " << dest << endl;
     
    return 0;
}
 
// This code is contributed by sarajadhav12052009


C




// C Program to illustrate the problem in
// strcpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
 
    // Here destination is not large
    // enough to store the src. so the
    // behaviour of strcpy is unspecified.
    // program may crashed, but its
    // printing geeksforgeeks
    char dest[2];
     
    // copying src into dest.
    strcpy(dest, src);
    printf("Copied string: %s\n", dest);
     
    return 0;
}


Output:

Copied string: geeksforgeeks

Time Complexity: O(n)
Auxiliary Space: O(1)

strncpy() function

The strncpy() function is similar to strcpy() function, except that at most n bytes of src are copied. If there is no NULL character among the first n character of src, the string placed in dest will not be NULL-terminated. If the length of src is less than n, strncpy() writes an additional NULL characters to dest to ensure that a total of n characters are written. Syntax:

char *strncpy( char *dest, const char *src, size_t n )

Parameters: This function accepts three parameters as mentioned above and described below:

  • src: The string which will be copied.
  • dest: Pointer to the destination array where the content is to be copied.
  • n: The first n character copied from src to dest.

Return Value: It returns a pointer to the destination string. 

Example: 

C++




// C++ Program to illustrate the
// strncpy() function in C/C++
 
#include <iostream>
#include <cstring>
using namespace std;
 
int main()
{
    char src[] = "geeksforgeeks";
     
    // The destination string size is 14.
    char dest[14];
     
    // copying n bytes of src into dest.
    strncpy(dest, src, 14);
    cout << "Copied string: " << dest << endl;
     
    return 0;
}
 
// This code is contributed by sarajadhav12052009


C




// C Program to illustrate the
// strncpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
     
    // The destination string size is 14.
    char dest[14];
     
    // copying n bytes of src into dest.
    strncpy(dest, src, 14);
    printf("Copied string: %s\n", dest);
     
    return 0;
}


Output:

Copied string: geeksforgeeks

Time Complexity: O(n)
Auxiliary Space: O(1)

Problem with strncpy(): If there is no null character among the first n character of src, the string placed in dest will not be null-terminated. So strncpy() does not guarantee that the destination string will be NULL terminated. The strlen() non-terminated string can cause segfault. In other words, a non-terminated string in C/C++ is a time-bomb just waiting to destroy code. 

C++




// C++ Program to illustrate the problem in
// strncpy() function in C/C++
 
#include <iostream>
#include <cstring>
using namespace std;
 
int main()
{
    char src[] = "geeksforgeeks";
     
    // The destination string size is 8
    // which is less than length of src.
    char dest[8];
     
    // copying 8 bytes of src into dest.
    // dest is not NULL terminated.
    strncpy(dest, src, 8);
     
    // using strlen function on non terminated.
    // string which can cause segfault.
    int len = strlen(dest);
     
    cout << "Copied string: " << dest << endl;
    cout << "Length of destination string: " << len << endl;
     
    return 0;
}
 
// This code is contributed by sarajadhav12052009


C




// C Program to illustrate the problem in
// strncpy() function in C/C++
#include <stdio.h>
#include <string.h>
int main()
{
    char src[] = "geeksforgeeks";
     
    // The destination string size is 8
    // which is less than length of src.
    char dest[8];
     
    // copying 8 bytes of src into dest.
    // dest is not NULL terminated.
    strncpy(dest, src, 8);
     
    // using strlen function on non terminated.
    // string which can cause segfault.
    int len = strlen(dest);
     
    printf("Copied string: %s\n", dest);
    printf("Length of destination string: %d\n", len);
     
    return 0;
}


Output:

Copied string: geeksfor
Length of destination string: 8

Time Complexity: O(n)
Auxiliary Space: O(1)

Now, the next question is, any function that guarantees the destination string will be NULL-terminated and no chance of buffer overrun? So, the answer of above question is “YES”, there are several function in “stdio.h” library which guarantee the above condition will be satisfied.

Both functions guarantee that the destination string will be NULL terminated.Similarly, snprintf() function, strlcpy function copied at most dest_size-1 characters (dest_size is the size of the destination string buffer) from src to dst, truncating src if necessary. The result is always null-terminated. The function returns strlen(src). Buffer overflow can be checked as follows:

 if (strlcpy(dst, src, dstsize) >= dest_size)
         return -1;

Ranking the functions according to level of sanity:

strcpy < strncpy < snprintf < strlcpy


Last Updated : 03 Feb, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads