U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.


OpenBSD's strlcpy() and strlcat()

Published: September 27, 2005 | Last revised: May 14, 2013

Author(s): Daniel Plakosh Maturity Levels and Audience Indicators: L2  / D/P L  SDLC Life Cycles: Implementation Copyright: Copyright © Carnegie Mellon University 2005-2012.


Many UNIX variants provides the strlcpy() and strlcat() functions to copy and concatenate strings in a less error-prone manner.

Development Context

Copying and concatenating character strings

Technology Context

C, UNIX, FreeBSD, OpenBSD, NetBSD, MacOS X, Solaris


Attacker executes arbitrary code on machine with permissions of compromised process or changes the behavior of the program.


The strcpy() and strcat() functions are a source of buffer overflow vulnerabilities.


The strlcpy() and strlcat() functions copy and concatenate strings in a less error-prone manner than the corresponding C99 functions. These functions’ prototypes are as follows:

size_t strlcpy(char *dst, const char *src, size_t size);
size_t strlcat(char *dst, const char *src, size_t size);

The strlcpy() function copies the null-terminated string from src to dst (up to size characters). The strlcat() function appends the null-terminated string src to the end of dst (but no more than size characters will be in the destination).

To help prevent writing outside the bounds of the array, the strlcpy() and strlcat() functions accept the full size of the destination string as a size parameter. For static buffers, this value is easily computed at compile time using the sizeof() operator.

Both functions guarantee that the destination string is null terminated for all nonzero-length buffers.

The strlcpy() and strlcat() functions return the total length of the string they tried to create. For strlcpy() that is simply the length of the source; for strlcat() it is the length of the destination (before concatenation) plus the length of the source. To check for truncation, the programmer needs to verify that the return value is less than the size parameter. If the resulting string is truncated, the programmer now has the number of bytes needed to store the entire string and may reallocate and recopy.

Neither strlcpy() nor strlcat() zero-fills its destination strings (other than the compulsory null byte to terminate the string). This results in performance close to that of strcpy() and much better than strncpy() [Miller 99].

Unfortunately, strlcpy() and strlcat() are not universally available in the standard libraries of UNIX systems. Both functions are defined in string.h for many UNIX variants, including Solaris, but not for GNU/Linux. Because these are relatively small functions, however, you can easily include them in your own program's source whenever the underlying system doesn't provide them. It is still possible (however unlikely) that the incorrect use of these functions will result in a buffer overflow if the specified buffer size is longer than the actual buffer length.


[ISO/IEC 99]

ISO/IEC. ISO/IEC 9899 Second edition 1999-12-01 Programming languages — C. International Organization for Standardization, 1999.

[Miller 99]

Miller, T. C. & de Raadt, T. "strlcpy and strlcat—Consistent, Safe String Copy and Concatenation," 175-178. Proceedings of the FREENIX Track, 1999 USENIX Annual Technical Conference. Monterey, CA, June 6-11, 1999. Berkeley, CA: USENIX Association, 1999. http://www.usenix.org/publications/library/proceedings/usenix99/ full_papers/millert/millert.pdf.

Back to Top