Forgot your password?
typodupeerror
Programming Security IT Technology

Microsoft To Banish Memcpy() 486

Posted by kdawson
from the good-riddance dept.
kyriacos notes that Microsoft will be adding memcpy() to its list of function calls banned under its secure development lifecycle. This reader asks, "I was wondering how advanced C/C++ programmers view this move. Do you find this having a negative impact on the flexibility of the language, and do you think it will restrict the creativity of the programmer?"
This discussion has been archived. No new comments can be posted.

Microsoft To Banish Memcpy()

Comments Filter:
  • by MerlynEmrys67 (583469) on Friday May 15, 2009 @11:29AM (#27967345)
    Just like removing printf, scanf, and most other copy/string functions. There are safe versions of memcpy that work just fine and are just as easy to use...
    Lame story (Trying for flamebait here?)
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      And they aren't even removed, but (by default) a warning is issued when using them. I'd say it's a good move - passing the size of the destination buffer is usually not that complicated.

      • by Anonymous Coward on Friday May 15, 2009 @12:16PM (#27968351)

        I'd say it's a good move - passing the size of the destination buffer is usually not that complicated.

        Are you high? It already takes a size argument. If this were about strcpy(3), then you'd have a point, but I do not think memcpy(3) means what you think it means.

        I'm not saying you can't get yourself into trouble with inappropriate use of memcpy(3), but buffer overruns aren't the go-to threat every time.

        NAME
        memcpy - copy memory area

        SYNOPSIS
        #include <string.h>

        void *memcpy(void *dest, const void *src, size_t n);

        DESCRIPTION
        The memcpy() function copies n bytes from memory area src to memory area dest. The memory
        areas should not overlap. Use memmove(3) if the memory areas do overlap.

        • by Anonymous Coward on Friday May 15, 2009 @12:38PM (#27968801)

          It's a psychological thing. Having a separate parameter for the size of the destination buffer forces the programmer to think about what that size is. Too often programmers call memcpy passing the size of the data that needs copying and forget to check that the destination is big enough. And that's why we see so many buffer overflows.

          If you never make this mistake continue to use memcpy. I don't care and neither does Microsoft.

          • by Duhavid (677874) on Friday May 15, 2009 @01:22PM (#27969555)

            It still will not help.

            If they are a sloppy enough programmer not to look at what is going on, and to ensure the size of the destination, they will be sloppy enough to use the same dratted variable in both spots, drool all over the keyboard and move on to the next sloppy bit of code.

            • by dhavleak (912889) on Friday May 15, 2009 @01:39PM (#27969791)
              Right -- but a static analysis tool can catch precisely that behavior at compile time.
        • I'm not saying you can't get yourself into trouble with inappropriate use of memcpy(3), but buffer overruns aren't the go-to threat every time.

          Didn't we already defeat the goto threat?

          More to the point, if the developer doesn't know what memcpy does and how to use it correctly ... I mean ...
          You might aswell write the 3 lines of code behind memcpy yourself.

        • by dannannan (470647) on Friday May 15, 2009 @01:59PM (#27970079)

          Technically one size argument is enough, but in a large enough software project the code that allocates the destination buffer is maintained separately from the code that copies into it. Any failure in communication (e.g. building against an outdated library) will lead to someone's linker writing a binary with code that will overrun a buffer.

          With an explicit destination size parameter, the buffer copy code is no longer as sensitive to changes at the allocation site. A breakdown in communication will lead to a binary that produces a controlled runtime error instead of a buffer overrun.

          • Whilst you are correct, if Microsoft is going to essentially replace the standard C library with one that has an incompatible API, why not just call it a new library and have done with it?

            Or, better yet, if security really was the goal, develop a C-like language that was secure by design?

            By simply making things awkward for people to write portable code, all they do is ensure that there are multiple code bases for projects (which increases the opportunity for error) or ensures that people won't write portably. Which is a more likely goal, given who we are talking about.

            • Re: (Score:3, Insightful)

              by niteice (793961)

              Or, better yet, if security really was the goal, develop a C-like language that was secure by design?

              And then why don't you make it compile to non-native code, so you can do code analysis at runtime? Might as well give it a good standard library that uses all the features so people would try writing stuff. Of course, you can't name it C then, maybe you should give it a catchier name with some punctuation or other pun on the language.

              Hey, wait a minute... [microsoft.com]

            • by mustafap (452510) on Friday May 15, 2009 @04:42PM (#27972327) Homepage

              >Or, better yet, if security really was the goal, develop a C-like language that was secure by design?

              Or, better yet, if security really was the goal, use Ada.

              There, fixed that for you :o)

          • by drew (2081) on Friday May 15, 2009 @04:08PM (#27971871) Homepage

            I understand the problem you are describing, but I fail to see how this solution addresses it. If there is already a disconnect between the programmer doing the copying and the programmer doing the allocating, then making the programmer doing the copying repeat himself is not going to fix the problem.

            The only problem this function solves is buffer over flows caused by a programmer calculating a number of bytes to copy at runtime (e.g. by reading it from a Content-Length header) and failing to check the calculated value against what he believes is the actual size of the buffer. If the value that he believes to be the size of the buffer is wrong, changing from memcpy to memcpy_s will not catch the mistake. In other words, changing from memcpy to memcpy_s will only protect against sloppy programmers, and if they don't understand what the function is supposed to be protecting them from (which is likely) they'll probably just use the same value for copy_size and dst_size anyway (or switch to memmove), which will completely defeat the purpose of blacklisting memcpy in the first place.

            Not to mention, if you're doing any pointer arithmetic and writing to an offset some number of bytes past *buffer, then passing the size of *buffer doesn't really help, unless the function is smart enough to know that (I don't see how it could be unless we pass that as a parameter as well), or the user is smart enough to calculate the remaining size of *buffer. If the user is one of the sloppy programmers that this function is meant to protect against in the first place, I think that is highly unlikely, don't you?

    • by Anonymous Coward on Friday May 15, 2009 @11:38AM (#27967551)

      safe versions - if you prefer to blindly program away, not worrying about where your objects end up in memory. But - what is "safe"? Is there any replacement for properly testing all I/O from all possible sources?

      • by FlyingBishop (1293238) on Friday May 15, 2009 @12:56PM (#27969115)

        That's physically impossible, even given infinite time. Read up on the halting problem.

        However, programming a framework in which we may rule out certain things, for example a process jumping over and altering the OS, is perfectly possible. It just has to be verified through reasoning, rather than testing. The unit testing methodology is really the problem here. You cannot unit test everything.

        Don't get me wrong, testing is a good start, but it's no proof of security, and a proof of security, while very hard, is possible. Kudos to Microsoft.

        And to expand on the GP for those that didn't RTFA, they replaced Memcpy with a memcpy that forced you to state the size of the destination buffer, which is a constant time operation, and a much needed one. So this only forces C coders to make their code a little more clear.

        And when you're being intentionally unclear to the computer in addition to the reader, your code has no place in a secure production setting.

        • Re: (Score:3, Insightful)

          by Ciaran Power (447593)

          That's physically impossible, even given infinite time. Read up on the halting problem.

          No it's not. A computer is not a Turing machine - it has finite memory (=> finite # of states), an algorithm has to halt or visit a state it's already been in.

          And to expand on the GP for those that didn't RTFA, they replaced Memcpy with a memcpy that forced you to state the size of the destination buffer, which is a constant time operation, and a much needed one. So this only forces C coders to make their code a little more clear.

          Fair enough, well done MS. But their new memcpy can be lied to (memcpy_s(dst, 9999, src, 40)) and guys who aren't keeping track of (and checking) their remaining destination size are the guys likely to lie to memcpy_s

        • In an effort to "one-up" Microsoft, Apple promises to replace their own memcpy() with one that not only does not require a size for the destination buffer, but does not require a destination buffer at all. While Apple programmers call the move "totally pointless" and "absolute proof of functional retardation", Steve Jobs has simply responded, sagely, that the future of Apple development is through so-called "intuitive APIs". It just works.
    • Though "memcpy()" is slightly faster than "memmove()", the latter is safer.

      As Windows products are now (and have been) mainstream products used extensively in banks and other financial institutions, reliability and security (RS) have prime importance. The speed that "memcpy()" gets you is not worth the price of reduced RS.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Internally to Microsoft, "banned" means that no products can be shipped using these functions. Externally, this is just a recommendation.

    • by Chris Burke (6130) on Friday May 15, 2009 @12:19PM (#27968399) Homepage

      Just like removing printf, scanf, and most other copy/string functions. There are safe versions of memcpy that work just fine and are just as easy to use...

      There's nothing unsafe about printf (since compilers started doing format type checking), as long as you don't use user input as the format string. To print user input, you use printf("%s", user_input).

      strcpy() is unsafe because you don't know how many bytes you are going to be copying. strncpy() is completely safe as long as you aren't brain dead and set the 'n' to the size of the destination buffer (as opposed to strlen(src) which would be brain dead) and then slap an '\0' into the last index of the dest. sprintf, same deal, just use snprintf and tell it the max bytes it can print.

      So what's unsafe about memcpy()? You explicitly specify the number of bytes to copy. If that number of bytes is greater than the known size of the destination buffer, then you've got a problem that simply adding a second 'size of dest' paramater to the copy won't fix because you already screwed the pooch on figuring that out now didn't you?

      Yes memcpy() doesn't work if src and dest overlap. When that's happening, you typically know about it (you've got some clever in-situ array modification going on) and can use memmove(). memmove(), on the other hand, is equally unsafe if you can't properly specify the number of bytes to copy.

      Bottom line: There's no such thing as a "safe" copy in C when we're assuming the programmer can't figure out the destination buffer size.

      • by George Reilly (144033) on Friday May 15, 2009 @02:08PM (#27970231) Homepage

        There's nothing unsafe about printf (since compilers started doing format type checking), as long as you don't use user input as the format string. To print user input, you use printf("%s", user_input).

        %n writes to the stack. It's disabled by default in VS2005 onwards. More at http://weblogs.asp.net/george_v_reilly/archive/2007/02/06/printf-n.aspx and http://julianor.tripod.com/bc/formatstring-1.2.pdf

      • So why is strncpy in the banned [microsoft.com] function list?

        I think this is just Microsoft trying to embrace and extend. There's no better way to do that then making most existing C and C++ code invalid. The quickest alternative, of course, is to write it in C# or some other embraced language.

        Hypocritically, Microsoft did NOT add memset to the banned list despite it having almost exactly the same problems as memcpy. Why? Almost every MSDN example begins with "memset(somestruct,0,sizeof(somestruct))" and invalidating every MSDN example would probably look bad.

        As you pointed out, the size of the destination buffer makes no sense when dealing with pure pointers. Often memcpy is used to move memory around inside larger buffers, which completely invalidates memcpy_s as a safe replacement. memcpy is also often used to copy smaller buffers into larger ones, and accidentally copying the uninitialized (or carefully crafted by some exploit) data that comes after the source object can be just as dangerous. The correct replacement, memcpy_overkill(void *source_object, size_t source_size, size_t source_offet, void *dest_object, size_t dest_size, size_t dest_offset, size_t count) is what they're REALLY looking for, but this is impractical primarily because of the heavy use of context-less pointers (to objects within arrays, or within some other structure; the void * in memcpy's prototype hints at further possibilities) in C and C++.

    • Re: (Score:3, Insightful)

      by Opportunist (166417)

      So copying with the destination buffer size specified makes it safe? How so?

      If I knew that the value I want to copy won't fit into the destination buffer, I wouldn't copy it there. Simple as that. Oh, because the size of the source might be variable? Then maybe the coder should do a size_ssize_d?size_s:size_d as the size argument. Taking a variable that isn't under the coder's full control as a size in any memory manipulation operation is asking for trouble anyway.

      Do you think it will be safer now that you

  • This should have been done thirty years ago.

    • by Smidge207 (1278042) on Friday May 15, 2009 @11:33AM (#27967451) Journal

      ...and pop up a message box asking the user to confirm they want to copy the memory, and if they press OK then they should have to enter a captcha.

      Seriously though, how is it supposed to make your code safer if you pass the size you think your destination buffer is? With memcpy, that size is implicitly greater or equal to the copy size and it's the caller's responsibility to make sure this is the case. Putting bounds checking into the copy function is ridiculous if you're responsible for passing the bounds yourself, and it goes against basic good design. I'm surprised they aren't passing the source buffer size too, just to be extra safe. Also, what happened to the __restrict keyword? It's strangely absent from the memcpy_s function declaration.

      =Smidge=

      • by Creepy (93888) on Friday May 15, 2009 @01:29PM (#27969659) Journal

        The problem is memcpy returns a void *. If this is dynamically cast, it needs to be checked at runtime and may even be set to a value the programmer never intended (say unsigned 16 bit values instead of unsigned 8 bit characters). It may be an issue with updating the code - say the code was originally written for 8 bit ASCII and got updated to, say UTF-16 (16 bit). A dynamically cast void* doesn't care what the size is, it just shoves the values in the buffer. This may work fine in basic testing even, because you never overflow the buffer with 1-2 characters, and maybe even gets past a QA team, but once you go past 1/2, you've got a buffer overrun.

        As I understand it, __restrict wouldn't work in a C++ program using dynamic_cast because it doesn't know the size at compile time (sorry, I'm not sure what is done in C as I haven't kept up with the language, so I have to use a C++ example). My guess is memcpy_s does runtime bounds checking (it isn't specified on the memcpy_s page, maybe the security ref - too busy to read it though).

        • Re: (Score:3, Informative)

          by Prof.Phreak (584152)

          Eh? the 'n' in memcpy call is number of -bytes-. not "things" you're trying to copy. it doesn't matter if you give it an array of signed 8 bit characters and copy it over to 32bit unsigned longs... you just specify n to be number of -bytes- to copy.

          How can this be confusing?

    • by james_shoemaker (12459) on Friday May 15, 2009 @11:39AM (#27967577)

      Why? I can see some justification on the strXXX functions where you don't know how many bytes are going to be copied unless you call strlen first, but in memcpy you pass how many bytes to copy in as a parameter. So this is to protect programmers who can't do math?

      • Why? I can see some justification on the strXXX functions where you don't know how many bytes are going to be copied unless you call strlen first, but in memcpy you pass how many bytes to copy in as a parameter. So this is to protect programmers who can't do math?

        Yes. The article describes a replacement function memcpy_s that compares the copy size to the destination buffer size and throws an exception if the copy size is larger. It's still unsafe if the program lies to memcpy_s about the destination buffer size, and now it appears to needs exception support in the runtime (which based on my tests can add an extra 64 KB to your elevator controller's firmware [catb.org]).

  • by Anonymous Coward on Friday May 15, 2009 @11:30AM (#27967373)
    Those are also dangerous functions. And also array indexing! That should also be eliminated.
  • by sunami (751539) on Friday May 15, 2009 @11:30AM (#27967379)

    Figures, Microsoft had to go kill of python and do it all in the name of security. No more accessing MEMory in C structures from our .PY files, damn it this really pisses me off.

    • Re:Python is done (Score:5, Informative)

      by Rycross (836649) on Friday May 15, 2009 @11:37AM (#27967535)

      No its not. This is only banned under Microsoft's Security Development Lifecycle, which means you only care about this if you're following those set of development guidelines. Its still in the language. And you can always use memcopy_s:

      Developers who want to be SDL compliant will instead have to replace memcpy() functions with memcpy_s, a newer command that takes an additional parameter delineating the size of the destination buffer.

  • by pthisis (27352) on Friday May 15, 2009 @11:32AM (#27967417) Homepage Journal

    Do you find this having a negative impact on the flexibility of the language, and do you think it will restrict the creativity of the programmer?"

    You can replace memcpy entirely with memmove (the latter is slightly slower and handles overlaps), and nothing in the article suggests that memmove is banned.

    But, no, it shouldn't hurt creativity--they're introducing a memcpy_s, which is the same aside from taking a size parameter for the destination. That's something that is generally easy to track in new code (obviously this secure developement lifecycle is not backwards compatible).

    • Re: (Score:3, Insightful)

      by ifdef (450739)

      Okay, I'm obviously missing something here. How is having an extra parameter for the destination size any safer? I always thought the third parameter to memcpy was the amount of data to copy, and since obviously it should never be set to anything larger than the size of the destination, how will having the destination size explicitly passed in help any?

      Or are we just talking about a convenience feature that will make it easier for lazy programmers?

      • by pthisis (27352) on Friday May 15, 2009 @11:53AM (#27967849) Homepage Journal

        Okay, I'm obviously missing something here. How is having an extra parameter for the destination size any safer? I always thought the third parameter to memcpy was the amount of data to copy, and since obviously it should never be set to anything larger than the size of the destination, how will having the destination size explicitly passed in help any?

        That's the error that this is trying to fix. I'm skeptical as to how much this will help; if you're that lazy, you can just set the destination size parameter to the same value as the amount to copy.

        But it might be easier to enforce at a code-review level in the organization: destination size always has to be a size tracked based on memory allocation.

    • Re: (Score:2, Insightful)

      by ksheff (2406)
      big deal. Now developers will write

      memcpy_s(dst, sizeof(dst), src, sizeof(dst));

      instead of

      memcpy(dst, src, sizeof(dst));

      If they've been screwing up and using the wrong size for the number of bytes to copy, what's going to stop them from screwing up and putting the wrong size for the size of the destination buffer? Nothing! Now the coders that have been using something like

      MIN(sizeof(dst), bytes_to_copy)

      for the last parameter for years will have to change their code. Oh well...it's job security f

      • by pthisis (27352) on Friday May 15, 2009 @11:58AM (#27967965) Homepage Journal

        Now developers will write

                memcpy_s(dst, sizeof(dst), src, sizeof(dst));

        I get the feeling that this is mainly for Microsoft internally developed code which conforms to their security guidelines. As such, it's probably mainly intended to help in code reviews. Still pretty dubious.

        Now the coders that have been using something like

                MIN(sizeof(dst), bytes_to_copy)

        for the last parameter for years will have to change their code.

        That fails in the common case of dst being a real pointer (whether it's indexing into a static array or dynamically allocated memory or whatever).

      • Re: (Score:3, Informative)

        by Tony Hoyle (11698)

        memcpy_s(dst, sizeof(dst), src, sizeof(dst));

        Whilst that will work, it probably doesn't do what you think.

        Hint: dst and src are pointers.

  • by adonoman (624929) on Friday May 15, 2009 @11:33AM (#27967459)
    First they came for gets, then they took scanf and strcpy, now they want memcpy? Outrageous! How are virus writers going to be able to take advantage of buffer overflows if I'm continuously keeping track of how big my buffers are? I may have to start lying about their size just to give hackers a chance.
    • by Anonymous Coward on Friday May 15, 2009 @12:12PM (#27968267)

      First they came for gets, And I didn't speak up because I didn't use gets
      Then they came for scanf, And I didn't speak up because I didn't use scanf
      Then they came for strcpy, And I didn't speak up because I didn't use strcpy
      And then... they came for memcpy... And by that time there was no one left to speak up.

  • by Anonymous Coward on Friday May 15, 2009 @11:35AM (#27967487)
    Someone already explained [perl.org] this better than I could.
  • by tb3 (313150)

    Lots of hand-waving marketing bullshit. I'm sure they're going to keep using it internally, and the exploits will still happen with Microsoft code. Just like Microsoft applications will be ignored by UAC in Windows 7.

    If they wanted to do something useful, they should have removed createRemoteThread [microsoft.com] instead.

  • by the_arrow (171557) on Friday May 15, 2009 @11:37AM (#27967519) Homepage

    I have often used memcpy instead of strcpy when I have known the length of the strings, and also known the destination to be large enough.
    I'm guessing many developers will just #define memcpy to something else and continue as nothing happened.

  • by Anonymous Coward

    If you consider memcpy too dangerous then you should be using something besides C. If you're using C++ and memcpy then you really do need to know what both you and the compiler are doing.

  • by Anonymous Coward on Friday May 15, 2009 @11:37AM (#27967543)

    The problem with strcpy() and sprintf() and like functions is that you don't know when calling them the length of the source to be copied into the supplied buffer. But with memcpy() you specify this length.

    Frequently, the size of the target is calculated at run time, so bugs in memcpy() tend to be in the area of this calculation, rather than in not checking if the source fits the target.

    Any lack of memcpy() would be easy to overcome, just use

              memcpy_s (dst, len, src, len)

    which is functionally identical to

              memcpy (dst, src, len)

  • I don't trust outright removals without a decent period of deprecation. Microsoft has a bad history of deciding some API or function is dirty and obsolete, only to find that they've broken some of their own code or made some functions impossible to implement in some environments.

    For example, they deprecated a Windows Mobile database API without having support for the new version in ActiveSync. Lots of suckers upgraded only to find out that the Grand Pubas down at Seattle Central pulled the rug out from u

    • by Shrike82 (1471633)
      It's only being "removed" for some form of secure certification. Basically if you use it you can't have your software certified as "secure", whatever that means. It's not being removed from the language.
  • Silly and useless (Score:5, Insightful)

    by ugen (93902) on Friday May 15, 2009 @11:46AM (#27967721)

    This is nothing like sprintf. In sprintf there is no way to know how much data will be created ahead of time, so limit on buffer size is useful to make sure there is no buffer overrun.

    With memcpy it is *precisely* known how much data will be copied. It is right there, 3rd parameter. If a developer can't do "if (sizetocopy = sizeofdstbuffer)", it is just as unlikely that he will be able to properly state that additional parameter that specifies the destination buffer size.

    Of course if Microsoft is so concerned with security, why the heck did it take them years to add snptinf()? All this is is another attempt to make crossplatform development that much harder (much like all those "obsolete" POSIX functions that will barf warnings unless you use a cryptic define).

    That said, if this silliness ever becomes a rule, I have an easy solution:
    #define memcpy(dst, src, size) memcpy_s((dst), (src), (size), (size))

    Problemo solved, now let's go actually write some real code.

  • by coppro (1143801) on Friday May 15, 2009 @11:48AM (#27967753)
    This is not the first time MS has done this. They have plenty of other standard functions that they have deprecated.

    Yes, you read that right. Microsoft is deprecating parts of an ISO Standard all by themselves. Not that this should surprise anyone. I would have absolutely no objection to them proposing to WG14 to deprecate those functions; heck, I'd encourage it! But besides going out and deciding to 'deprecate' parts of the standards, the replacement functions actually violate those same standards.

    And the warnings are irritating. You can't write a nice cross-platform library without either spewing tons of warnings or having to put in a bunch of #defines to shut the compiler up. And if you do that, your users get irritated if they depend on these warnings because you just turned them off (and of course, if you don't, they'll complain that your library is unsafe).

    Screw Microsoft.
    • by theCoder (23772) on Friday May 15, 2009 @12:15PM (#27968341) Homepage Journal

      In case anyone is curious, this is the type of thing that coppro is talking about:

          c:\Program Files\Microsoft Visual Studio 8\VC\include\io.h(318) : see declaration of 'close'
          Message: 'The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name: _close. See online help for details.'

      Now, as far as I know, no ISO body has deprecated functions like close(2), open(2), read(2), and write(2). And I've always heard that methods that start with an underscore are internal compiler functions and shouldn't be called directly. I don't know why the MS compiler writers think they can do this, but it is really annoying to get hundreds of warnings like this when compiling. In addition, it hides legitimate warnings that could indicate real problems.

      As to the article in question, I can't think of any good reason why memcpy(3C) would be considered unsafe, since it specifies the amount of memory to copy. Sure, you could use it to copy outside the bounds of dst, but that's just calling it incorrectly. It's not like sprintf(3C) where you could easily accidentally write outside the bounds of the string.

      • by hackerjoe (159094) on Friday May 15, 2009 @01:52PM (#27969979)

        no ISO body has deprecated functions like close(2), open(2), read(2), and write(2)

        That's correct, because ISO C++ never included those functions in the first place. POSIX != ISO C. (Not that MSVC is on any kind of reasonable schedule for keeping up with ISO standards, but that's a whole different issue...)

        Basically MS is deprecating their own terrible implementation of some POSIX compatibility. This is actually required for ISO C compliance: the compiler is not supposed to define a bunch of extraneous functions in the global namespace, because they might conflict with your names. Once those functions are removed entirely (and I believe you can #define them away right now) you can implement your own compatibility functions for software you're porting to Windows.

        Now, this is all entirely separate from the SDL warnings GP is complaining about, which show up when you use standard ISO C functions like strcpy, sprintf, and apparently now memcpy. Which, honestly, I wish weren't quite so irritatingly implemented, although I'm torn because using those functions really is terrible.

        It's not really that worth getting up in arms about, though, because JESUS CHRIST there's a compiler flag to disable the warnings, just put it in your makefile and quit bitching already!

      • Re: (Score:3, Interesting)

        Wrong, wrong, wrong.

        open, close, etc.. are not in ISO C++. Functions not in the spec (vendor-specific) are supposed to have an _ in front.

        Any function you can think of (including strcpy) is "safe" if the developer specifies correct parameters. Whoopdy Do. That doesn't mean it's something that's easily verified by runtime checkers, static analysis, etc... That's why it's deprecated - it's easy to perform additional safety checks if you include both the source and destination sizes.

    • Re: (Score:3, Informative)

      This is not the first time MS has done this. They have plenty of other standard functions that they have deprecated.

      Yes, you read that right. Microsoft is deprecating parts of an ISO Standard all by themselves.

      No, Microsoft isn't deprecating "parts of an ISO Standard" - only the standard committee can do that, by marking those parts as deprecated in the next version of the standard. Microsoft has enabled warnings on use of those "unsafe" functions by default, yes, but it is very much not the same thing.

      Regarding "all by themselves" part - do you realize that all those "safe" *_s functions are actually covered by an ISO C99 TR? [open-std.org]. There's also a FOSS implementation [sourceforge.net] available under the MIT license.

      And the warnings are irritating. You can't write a nice cross-platform library without either spewing tons of warnings or having to put in a bunch of #defines to shut the compiler up.

      You don't have to u

  • Workaround (Score:2, Insightful)

    by pensivepuppy (566965)
    #define memcpy(s1, s2, n) memcpy_s((s1), (n), (s2), (n))
  • . . . so ban it. If I really need it, I'll write my own. What happened when the US banned alcohol? Bootlegged Moonshine.

    " . . .do you think it will restrict the creativity of the programmer?"

    Quite the opposite, it will inspire them to find other creative ways around the restrictions.

    Oh, and you can grep your code and say, "Look! No memcpy()! I'm secure!" But what about self-written functions that does the same thing as memcpy(), with 1,000 different names?

  • by BitZtream (692029) on Friday May 15, 2009 @12:19PM (#27968403)

    As a competent developer, I get extremely annoyed by this sort of shit.

    Removing/banning memcpy doesn't change a damn thing cause the first thing I do with things that have to compile in VisualStudio now is add the following defines which turn this shit off:

    _CRT_SECURE_NO_WARNINGS
    _CRT_NONSTDC_NO_DEPRECATE

    If the remove that option I'll simply add memcpy to my standard MS compatibility library that deals with all the other bullshit MS decides to do.

    You can't fix stupid. Stop trying. People fuck up VB and C# apps just as much as the fuck up C and C++ apps. So they don't do it with a buffer overflow, they do it by shear stupidity. You'll be more secure by taking away languages that allow non-programmers to pretend to be programmers than making it harder on those of us that are just going to work around what you do anyway.

    You're not going to fix broken shitty apps with exploits by removing functions, the functions aren't the problem they do exactly as they are told (or atleast they are supposed to :). You need to fix the programmers who can't clarify what they want done.

    http://www.xkcd.com/568/ [xkcd.com]
    Second pane:
    You'll never find a programming language that frees you from the burden of clarifying your ideas.

  • easy fix (Score:5, Insightful)

    by Chris Snook (872473) on Friday May 15, 2009 @12:26PM (#27968537)

    Just write a one-liner that replaces all calls to memcpy with a call to memcpy_s, duplicating the size parameter.

    I'm only half-joking. This is exactly how people will (mis)use memcpy_s. If you want safe memory access, you need to ban the entire C language. For those cases where you need C, you'll just have to make sure your programmers know what they're doing.

  • by LanceUppercut (766964) on Friday May 15, 2009 @12:39PM (#27968813)

    Firstly, the specification of C anf C++ standard library is governed by the corresponding standard commitee. Microsoft has absolutely no authority to "banish" anything from neither C nor C++. They can deprecate it in their .NET code, C# etc., but it has absolutely no relevance to C and C++ languages. So, why would the author of the original question direct it to "advanced C and C++" programmers is beyond me. In general, C and C++ programmers will never know about this "interesting" development.

    Secondly, the tryly unsafe and useless functions in the C standard library are the functions like "gets", which offer absolutely no protection agains buffer overflow, regardless of how careful the develoiper is. Functions like 'memcpy', on the other hand, offer sufficient protection to a qualified developer. There's absolutely no sentiment against these functions in C/C++ community and there is absolutely no possiblity of these functions to get deprecated as long as C language exists.

  • by Dimwit (36756) on Friday May 15, 2009 @12:54PM (#27969079)

    Now, all that's going to happen is that programmers are going to write their own memcpy-like routines using a quicky for-loop or something. It'll be just as bug prone, and harder to detect via automated source code analysis.

    • by GleeBot (1301227) on Friday May 15, 2009 @01:39PM (#27969789)

      Now, all that's going to happen is that programmers are going to write their own memcpy-like routines using a quicky for-loop or something. It'll be just as bug prone, and harder to detect via automated source code analysis.

      Not to mention it'll be slower. memcpy is one of the most optimized functions in any C library. It's frequently handled as a compiler intrinsic, that can do stuff like unroll short copies, generate optimal machine code, etc.

  • by wandazulu (265281) on Friday May 15, 2009 @02:04PM (#27970175)

    There have been several suggestions to replace memcpy with memcpy_s as the safer alternative. That's fine, I guess, if memcpy_s is part of the ANSI/ISO standard for C, which as far as I know, it is not; just like all the *_s functions.

    Microsoft says your code is safer when using the *_s, but it will no longer be portable, it'll be Microsoft-only. They put in a warning in the compiler from VS2005 onwards about using "unsafe" functions, and that you should use *_s, which is a pain because you have to disable it as the project level, there doesn't seem to be anywhere that I've found that can just turn it off permanently. Even using the STL that comes with VS2008 will generate these warnings, even if you never do any explicit memory stuff yourself.

    Microsoft did the same thing with the _* functions; a lot of them are just wrappers around their ANSI-compliant versions (_sprintf -> sprintf), but are also not portable; I worked with a guy who wrote/tested all his C code in VS6 then gave it to me to port to Unix and VMS, and the compilers would choke on not having these particular functions.

    Microsoft is trying to get lock-in at the language level instead of providing a good set of Win32 API-based functions that make using memcpy() unnecessary.

  • Mixed views... (Score:3, Insightful)

    by jschmerge (228731) on Saturday May 16, 2009 @01:05AM (#27976433)
    I'm a C++ developer, and I'm mixed on this decision... On one hand, memcpy is a function that you can really hurt yourself with. On the other, it maps to extremely fast assembly that most processors can perform very quickly. There is a time & a place for everything. I think that a memcpy inside a class' constructor or assignment functions is perfectly acceptable, yet doing a memcpy(&destclass, &fromclass, sizeof(destclass)) is fundamentally dumb for more reasons than I care to illucidate (read one of Stroudstrup's or Meyer's books on C++ if you want to know). Doing something like that *really* demonstrates that you don't know the language.

    I guess Microsoft is trying to get people that don't understand C++ to program better in the language. IMHO, this will not solve fundamental problems with people programming C++, just cause them to learn the language slower by not having an experience working through a bastard of a bug. I think the world (and not just MS) needs to realize that writing a piece of complex software is difficult. Bugs like an errant memcpy of a subclass into a baseclass instance are *very* easy bugs to solve if you're looking for them. Memory overwrites are easy to detect if you are looking for them. Bad pointers are easy to detect if you're looking for them.

    Such problems will always exist in software. I've found a fair number in my own code. What we *really* need to do is train a better caliber of programmer. OTOH, Microsoft seems hell-bent on trying to make writing software easy to do

  • Please ban them (Score:3, Interesting)

    by Zoxed (676559) on Saturday May 16, 2009 @04:15AM (#27977151) Homepage

    (I have 20+ years proffesional programming experience, a good chunk of it in C/C++, and in recent years have spent a lot of time debugging other peoples code, especially ported, re-ported and generally hacked around code !)

    IMHO a lot of the posts here are missing the point when they say, "these functions are safe, you just need to check the size before hand" etc. The fact is, in the Real World, not everyone is an ace-programmer, deadlines loom, mistakes get made. Problems do not appear in testing, but can further down the line. IMHO a language simply should *not allow* the programmer to do crazy things. Potential buffer overflows, de-referencing null pointers etc should not get past the *compiler*.

    To be honest I do not have a prefered language to suggest, but I do not think that tweaking C is the answer, but better, high level, languages are needed.

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...