问题
I have an old project that is mixed C and C++. It makes extensive use of C strings and of strcpy,strcat,strncpy,strncat etc. I've uncovered a number of buffer overflows, and I'd like to use more secure functions, such as strcpy_s. MSVC includes those functions, but I need something that will work on various platforms - linux, osx, and windows at the least.
I do know of strlcpy, but as plenty of people have noted (example), it really isn't an improvement.
So: Are there any free implementations of strcpy_s, strcat_s, etc, or of the entire TR24731-1?
I need something that's either public domain or BSD, but if you know of implementations under other licenses, go ahead and list them - I'm sure someone else will benefit.
回答1:
Try with the Safe C library. It's under the MIT license and according to this list implements the functions you're looking for:
The Safe C Library provides bound checking memory and string functions per ISO/IEC TR24731. These functions are alternative functions to the existing standard C library that promote safer, more secure programming
回答2:
You can use memcpy and memset etc, which are portable and safer than string functions.
回答3:
Why not using strncpy and strncat? Contrary to strlcpy and strlcat, they are standard C functions. These functions are not perfect but you can use them safely.
And also note that the bounds-checking _s functions are optional in the current Standard.
来源:https://stackoverflow.com/questions/10067728/are-there-any-free-implementations-of-strcpy-s-and-or-tr24731-1