NetBSD Problem Report #59540
From www@netbsd.org Mon Jul 21 18:58:50 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 96CF91A9239
for <gnats-bugs@gnats.NetBSD.org>; Mon, 21 Jul 2025 18:58:50 +0000 (UTC)
Message-Id: <20250721185849.3511D1A923C@mollari.NetBSD.org>
Date: Mon, 21 Jul 2025 18:58:49 +0000 (UTC)
From: rwhitlock22@gmail.com
Reply-To: rwhitlock22@gmail.com
To: gnats-bugs@NetBSD.org
Subject: strlcpy(3) has an off-by-one in the manual page
X-Send-Pr-Version: www-1.0
>Number: 59540
>Category: lib
>Synopsis: strlcpy(3) has an off-by-one in the manual page
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 21 19:00:00 +0000 2025
>Originator: Robert Whitlock
>Release: NetBSD current, 10.99.14, July 11, 2025
>Organization:
>Environment:
see above
>Description:
strlcpy(3) claims that strlcpy leaves bytes past dst[strlen(src) + 1] uninitialized, when it would be more precise to say that it leaves bytes past dst[strlen(src)] uninitialized. This can be easily seen by considering the case where src is the empty string "". Then strlen(src) == 0 and dst[strlen(src) + 1] == dst[1], which is one past the terminating NUL byte that is there when strlcpy has finished. The first byte past dst[1] is then the second byte past the NUL terminating byte.
The patch also includes a minor formatting fix.
>How-To-Repeat:
man strlcpy
>Fix:
Index: strlcpy.3
===================================================================
RCS file: /cvsroot/src/lib/libc/string/strlcpy.3,v
retrieving revision 1.25
diff -u -r1.25 strlcpy.3
--- strlcpy.3 2 Apr 2025 00:50:19 -0000 1.25
+++ strlcpy.3 21 Jul 2025 18:18:15 -0000
@@ -79,7 +79,7 @@
then the
.Fn strlcat
function returns
-.Fa size + Fn strlen src
+.Fa size Li + Fn strlen src
without writing anything to
.Fa dst .
.Pp
@@ -146,11 +146,11 @@
\(em
.Fn strlcpy
leaves bytes past
-.Fa dst Ns Li "[" Fn strlen src Li "+ 1" Ns Li "]"
+.Fa dst Ns Li "[" Fn strlen src Ns Li "]"
uninitialized, and
.Fn strlcat
leaves bytes past
-.Fa dst Ns Li "[" Fn strlen dst Li + Fn strlen src Li + 1 Ns Li "]"
+.Fa dst Ns Li "[" Fn strlen dst Li + Fn strlen src Ns Li "]"
uninitialized.
This can lead to security vulnerabilities such as leaking secrets from
uninitialized stack or heap buffers.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home