Replace strlcat/strlcpy with safe str_copy/str_append (#2678)

This unifies string handling across platforms and reduces unsafe usage of strncpy/strlcat/strlcpy/strcpy, improving robustness.

Author: giampaolo

HISTORY.rst

@@ -11,6 +11,10 @@ XXXX-XX-XX
   mandatory formatting style for all C sources.
 - 2672_, [macOS], [BSD]: increase the chances to recognize zombie processes and
   raise the appropriate exception (`ZombieProcess`_).
+- 2676_, 2678_: replace unsafe `sprintf` / `snprintf` / `sprintf_s` calls with
+  `str_format()`. Replace `strlcat` / `strlcpy` with safe `str_copy` /
+  `str_append`. This unifies string handling across platforms and reduces
+  unsafe usage of standard string functions, improving robustness.
 
 **Bug fixes**
 

psutil/_psutil_aix.c

@@ -633,7 +633,7 @@ psutil_net_if_stats(PyObject *self, PyObject *args) {
     if (sock == -1)
         goto error;
 
-    PSUTIL_STRNCPY(ifr.ifr_name, nic_name, sizeof(ifr.ifr_name));
+    str_copy(ifr.ifr_name, sizeof(ifr.ifr_name), nic_name);
 
     // is up?
     ret = ioctl(sock, SIOCGIFFLAGS, &ifr);

psutil/arch/all/init.h

@@ -117,19 +117,16 @@ extern int PSUTIL_CONN_NONE;
     } while (0)
 
 
-// strncpy() variant which appends a null terminator.
-#define PSUTIL_STRNCPY(dst, src, n) \
-    strncpy(dst, src, n - 1);       \
-    dst[n - 1] = '\0'
-
-
 PyObject *psutil_oserror(void);
 PyObject *psutil_oserror_ad(const char *msg);
 PyObject *psutil_oserror_nsp(const char *msg);
 PyObject *psutil_oserror_wsyscall(const char *syscall);
 PyObject *psutil_runtime_error(const char *msg, ...);
 
+int str_append(char *dst, size_t dst_size, const char *src);
+int str_copy(char *dst, size_t dst_size, const char *src);
 int str_format(char *buf, size_t size, const char *fmt, ...);
+
 int psutil_badargs(const char *funcname);
 int psutil_setup(void);
 

psutil/arch/all/str.c

@@ -9,10 +9,19 @@
 #include <stdio.h>
 #include <stdarg.h>
 #include <stddef.h>
+#include <string.h>
 
 #include "init.h"
 
 
+static int
+_error(const char *msg) {
+    // print debug msg because we never check str_*() return value.
+    psutil_debug("%s", msg);
+    return -1;
+}
+
+
 // Safely formats a string into a buffer. Writes a printf-style
 // formatted string into `buf` of size `size`, always null-terminating
 // if size > 0. Returns the number of characters written (excluding the
@@ -23,10 +32,8 @@ str_format(char *buf, size_t size, const char *fmt, ...) {
     va_list args;
     int ret;
 
-    if (size == 0) {
-        psutil_debug("str_format: invalid arg 'size' = 0");
-        return -1;
-    }
+    if (size == 0)
+        return _error("str_format: invalid arg 'size' = 0");
 
     va_start(args, fmt);
 #if defined(PSUTIL_WINDOWS)
@@ -43,3 +50,52 @@ str_format(char *buf, size_t size, const char *fmt, ...) {
     }
     return ret;
 }
+
+
+// Safely copy `src` to `dst`, always null-terminating. Replaces unsafe
+// strcpy/strncpy.
+int
+str_copy(char *dst, size_t dst_size, const char *src) {
+    if (dst_size == 0)
+        return _error("str_copy: invalid arg 'dst_size' = 0");
+
+#if defined(PSUTIL_WINDOWS)
+    if (strcpy_s(dst, dst_size, src) != 0)
+        return _error("str_copy: strcpy_s failed");
+#else
+    strncpy(dst, src, dst_size - 1);
+    dst[dst_size - 1] = '\0';
+#endif
+    return 0;
+}
+
+
+// Safely append `src` to `dst`, always null-terminating. Returns 0 on
+// success, -1 on truncation.
+int
+str_append(char *dst, size_t dst_size, const char *src) {
+    size_t dst_len;
+
+    if (!dst || !src || dst_size == 0)
+        return _error("str_append: invalid arg");
+
+#if defined(PSUTIL_WINDOWS)
+    dst_len = strnlen_s(dst, dst_size);
+    if (dst_len >= dst_size - 1)
+        return _error("str_append: destination full or truncated");
+    if (strcat_s(dst, dst_size, src) != 0)
+        return _error("str_append: strcat_s failed");
+#elif defined(PSUTIL_MACOS) || defined(PSUTIL_BSD)
+    dst_len = strlcat(dst, src, dst_size);
+    if (dst_len >= dst_size)
+        return _error("str_append: truncated");
+#else
+    dst_len = strnlen(dst, dst_size);
+    if (dst_len >= dst_size - 1)
+        return _error("str_append: destination full or truncated");
+    strncat(dst, src, dst_size - dst_len - 1);
+    dst[dst_size - 1] = '\0';
+#endif
+
+    return 0;
+}

psutil/arch/bsd/disk.c

@@ -80,73 +80,71 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
 
         // see sys/mount.h
         if (flags & MNT_RDONLY)
-            strlcat(opts, "ro", sizeof(opts));
+            str_append(opts, sizeof(opts), "ro");
         else
-            strlcat(opts, "rw", sizeof(opts));
+            str_append(opts, sizeof(opts), "rw");
         if (flags & MNT_SYNCHRONOUS)
-            strlcat(opts, ",sync", sizeof(opts));
+            str_append(opts, sizeof(opts), ",sync");
         if (flags & MNT_NOEXEC)
-            strlcat(opts, ",noexec", sizeof(opts));
+            str_append(opts, sizeof(opts), ",noexec");
         if (flags & MNT_NOSUID)
-            strlcat(opts, ",nosuid", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nosuid");
         if (flags & MNT_ASYNC)
-            strlcat(opts, ",async", sizeof(opts));
+            str_append(opts, sizeof(opts), ",async");
         if (flags & MNT_NOATIME)
-            strlcat(opts, ",noatime", sizeof(opts));
+            str_append(opts, sizeof(opts), ",noatime");
         if (flags & MNT_SOFTDEP)
-            strlcat(opts, ",softdep", sizeof(opts));
+            str_append(opts, sizeof(opts), ",softdep");
 #ifdef PSUTIL_FREEBSD
         if (flags & MNT_UNION)
-            strlcat(opts, ",union", sizeof(opts));
+            str_append(opts, sizeof(opts), ",union");
         if (flags & MNT_SUIDDIR)
-            strlcat(opts, ",suiddir", sizeof(opts));
-        if (flags & MNT_SOFTDEP)
-            strlcat(opts, ",softdep", sizeof(opts));
+            str_append(opts, sizeof(opts), ",suiddir");
         if (flags & MNT_NOSYMFOLLOW)
-            strlcat(opts, ",nosymfollow", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nosymfollow");
 #ifdef MNT_GJOURNAL
         if (flags & MNT_GJOURNAL)
-            strlcat(opts, ",gjournal", sizeof(opts));
+            str_append(opts, sizeof(opts), ",gjournal");
 #endif
         if (flags & MNT_MULTILABEL)
-            strlcat(opts, ",multilabel", sizeof(opts));
+            str_append(opts, sizeof(opts), ",multilabel");
         if (flags & MNT_ACLS)
-            strlcat(opts, ",acls", sizeof(opts));
+            str_append(opts, sizeof(opts), ",acls");
         if (flags & MNT_NOCLUSTERR)
-            strlcat(opts, ",noclusterr", sizeof(opts));
+            str_append(opts, sizeof(opts), ",noclusterr");
         if (flags & MNT_NOCLUSTERW)
-            strlcat(opts, ",noclusterw", sizeof(opts));
+            str_append(opts, sizeof(opts), ",noclusterw");
 #ifdef MNT_NFS4ACLS
         if (flags & MNT_NFS4ACLS)
-            strlcat(opts, ",nfs4acls", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nfs4acls");
 #endif
 #elif PSUTIL_NETBSD
         if (flags & MNT_NODEV)
-            strlcat(opts, ",nodev", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nodev");
         if (flags & MNT_UNION)
-            strlcat(opts, ",union", sizeof(opts));
+            str_append(opts, sizeof(opts), ",union");
         if (flags & MNT_NOCOREDUMP)
-            strlcat(opts, ",nocoredump", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nocoredump");
 #ifdef MNT_RELATIME
         if (flags & MNT_RELATIME)
-            strlcat(opts, ",relatime", sizeof(opts));
+            str_append(opts, sizeof(opts), ",relatime");
 #endif
         if (flags & MNT_IGNORE)
-            strlcat(opts, ",ignore", sizeof(opts));
+            str_append(opts, sizeof(opts), ",ignore");
 #ifdef MNT_DISCARD
         if (flags & MNT_DISCARD)
-            strlcat(opts, ",discard", sizeof(opts));
+            str_append(opts, sizeof(opts), ",discard");
 #endif
 #ifdef MNT_EXTATTR
         if (flags & MNT_EXTATTR)
-            strlcat(opts, ",extattr", sizeof(opts));
+            str_append(opts, sizeof(opts), ",extattr");
 #endif
         if (flags & MNT_LOG)
-            strlcat(opts, ",log", sizeof(opts));
+            str_append(opts, sizeof(opts), ",log");
         if (flags & MNT_SYMPERM)
-            strlcat(opts, ",symperm", sizeof(opts));
+            str_append(opts, sizeof(opts), ",symperm");
         if (flags & MNT_NODEVMTIME)
-            strlcat(opts, ",nodevmtime", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nodevmtime");
 #endif
         py_dev = PyUnicode_DecodeFSDefault(fs[i].f_mntfromname);
         if (!py_dev)

psutil/arch/freebsd/proc.c

@@ -129,7 +129,7 @@ psutil_proc_exe(PyObject *self, PyObject *args) {
         else if (ret == 0)
             return psutil_oserror_nsp("psutil_pid_exists -> 0");
         else
-            strcpy(pathname, "");
+            str_copy(pathname, sizeof(pathname), "");
     }
 
     return PyUnicode_DecodeFSDefault(pathname);
@@ -330,20 +330,20 @@ psutil_proc_memory_maps(PyObject *self, PyObject *args) {
             (uintmax_t)kve->kve_end
         );
         psutil_remove_spaces(addr);
-        strlcat(
+        str_append(
             perms,
-            kve->kve_protection & KVME_PROT_READ ? "r" : "-",
-            sizeof(perms)
+            sizeof(perms),
+            kve->kve_protection & KVME_PROT_READ ? "r" : "-"
         );
-        strlcat(
+        str_append(
             perms,
-            kve->kve_protection & KVME_PROT_WRITE ? "w" : "-",
-            sizeof(perms)
+            sizeof(perms),
+            kve->kve_protection & KVME_PROT_WRITE ? "w" : "-"
         );
-        strlcat(
+        str_append(
             perms,
-            kve->kve_protection & KVME_PROT_EXEC ? "x" : "-",
-            sizeof(perms)
+            sizeof(perms),
+            kve->kve_protection & KVME_PROT_EXEC ? "x" : "-"
         );
 
         if (strlen(kve->kve_path) == 0) {

psutil/arch/linux/net.c

@@ -71,7 +71,8 @@ psutil_net_if_duplex_speed(PyObject *self, PyObject *args) {
     sock = socket(AF_INET, SOCK_DGRAM, 0);
     if (sock == -1)
         return psutil_oserror_wsyscall("socket()");
-    PSUTIL_STRNCPY(ifr.ifr_name, nic_name, sizeof(ifr.ifr_name));
+    str_copy(ifr.ifr_name, sizeof(ifr.ifr_name), nic_name);
+
 
     // duplex and speed
     memset(&ethcmd, 0, sizeof ethcmd);

psutil/arch/netbsd/proc.c

@@ -96,7 +96,7 @@ psutil_proc_exe(PyObject *self, PyObject *args) {
         else if (ret == 0)
             return psutil_oserror_nsp("psutil_pid_exists -> 0");
         else
-            strcpy(pathname, "");
+            str_copy(pathname, sizeof(pathname), "");
     }
 
     return PyUnicode_DecodeFSDefault(pathname);

psutil/arch/netbsd/socks.c

@@ -407,8 +407,8 @@ psutil_net_connections(PyObject *self, PyObject *args) {
                                                   ->ki_src;
                 struct sockaddr_un *sun_dst = (struct sockaddr_un *)&kp->kpcb
                                                   ->ki_dst;
-                strcpy(laddr, sun_src->sun_path);
-                strcpy(raddr, sun_dst->sun_path);
+                str_copy(laddr, sizeof(sun_src->sun_path), sun_src->sun_path);
+                str_copy(raddr, sizeof(sun_dst->sun_path), sun_dst->sun_path);
                 status = PSUTIL_CONN_NONE;
                 py_laddr = PyUnicode_DecodeFSDefault(laddr);
                 if (!py_laddr)

psutil/arch/osx/disk.c

@@ -71,61 +71,61 @@ psutil_disk_partitions(PyObject *self, PyObject *args) {
 
         // see sys/mount.h
         if (flags & MNT_RDONLY)
-            strlcat(opts, "ro", sizeof(opts));
+            str_append(opts, sizeof(opts), "ro");
         else
-            strlcat(opts, "rw", sizeof(opts));
+            str_append(opts, sizeof(opts), "rw");
         if (flags & MNT_SYNCHRONOUS)
-            strlcat(opts, ",sync", sizeof(opts));
+            str_append(opts, sizeof(opts), ",sync");
         if (flags & MNT_NOEXEC)
-            strlcat(opts, ",noexec", sizeof(opts));
+            str_append(opts, sizeof(opts), ",noexec");
         if (flags & MNT_NOSUID)
-            strlcat(opts, ",nosuid", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nosuid");
         if (flags & MNT_UNION)
-            strlcat(opts, ",union", sizeof(opts));
+            str_append(opts, sizeof(opts), ",union");
         if (flags & MNT_ASYNC)
-            strlcat(opts, ",async", sizeof(opts));
+            str_append(opts, sizeof(opts), ",async");
         if (flags & MNT_EXPORTED)
-            strlcat(opts, ",exported", sizeof(opts));
+            str_append(opts, sizeof(opts), ",exported");
         if (flags & MNT_LOCAL)
-            strlcat(opts, ",local", sizeof(opts));
+            str_append(opts, sizeof(opts), ",local");
         if (flags & MNT_QUOTA)
-            strlcat(opts, ",quota", sizeof(opts));
+            str_append(opts, sizeof(opts), ",quota");
         if (flags & MNT_ROOTFS)
-            strlcat(opts, ",rootfs", sizeof(opts));
+            str_append(opts, sizeof(opts), ",rootfs");
         if (flags & MNT_DOVOLFS)
-            strlcat(opts, ",dovolfs", sizeof(opts));
+            str_append(opts, sizeof(opts), ",dovolfs");
         if (flags & MNT_DONTBROWSE)
-            strlcat(opts, ",dontbrowse", sizeof(opts));
+            str_append(opts, sizeof(opts), ",dontbrowse");
         if (flags & MNT_IGNORE_OWNERSHIP)
-            strlcat(opts, ",ignore-ownership", sizeof(opts));
+            str_append(opts, sizeof(opts), ",ignore-ownership");
         if (flags & MNT_AUTOMOUNTED)
-            strlcat(opts, ",automounted", sizeof(opts));
+            str_append(opts, sizeof(opts), ",automounted");
         if (flags & MNT_JOURNALED)
-            strlcat(opts, ",journaled", sizeof(opts));
+            str_append(opts, sizeof(opts), ",journaled");
         if (flags & MNT_NOUSERXATTR)
-            strlcat(opts, ",nouserxattr", sizeof(opts));
+            str_append(opts, sizeof(opts), ",nouserxattr");
         if (flags & MNT_DEFWRITE)
-            strlcat(opts, ",defwrite", sizeof(opts));
+            str_append(opts, sizeof(opts), ",defwrite");
         if (flags & MNT_UPDATE)
-            strlcat(opts, ",update", sizeof(opts));
+            str_append(opts, sizeof(opts), ",update");
         if (flags & MNT_RELOAD)
-            strlcat(opts, ",reload", sizeof(opts));
+            str_append(opts, sizeof(opts), ",reload");
         if (flags & MNT_FORCE)
-            strlcat(opts, ",force", sizeof(opts));
+            str_append(opts, sizeof(opts), ",force");
         if (flags & MNT_CMDFLAGS)
-            strlcat(opts, ",cmdflags", sizeof(opts));
+            str_append(opts, sizeof(opts), ",cmdflags");
             // requires macOS >= 10.5
 #ifdef MNT_QUARANTINE
         if (flags & MNT_QUARANTINE)
-            strlcat(opts, ",quarantine", sizeof(opts));
+            str_append(opts, sizeof(opts), ",quarantine");
 #endif
 #ifdef MNT_MULTILABEL
         if (flags & MNT_MULTILABEL)
-            strlcat(opts, ",multilabel", sizeof(opts));
+            str_append(opts, sizeof(opts), ",multilabel");
 #endif
 #ifdef MNT_NOATIME
         if (flags & MNT_NOATIME)
-            strlcat(opts, ",noatime", sizeof(opts));
+            str_append(opts, sizeof(opts), ",noatime");
 #endif
         py_dev = PyUnicode_DecodeFSDefault(fs[i].f_mntfromname);
         if (!py_dev)