TL;DR
The curl project has replaced direct strcpy calls with a new bounded copy function, following an earlier removal of strncpy from the code base. The replacement enforces size checks at the point of copy and uses memcpy internally to guarantee a nul-terminated result only when space permits.
What happened
In a recent blog post, curl maintainer Daniel Stenberg explained that the project has removed the use of strcpy from its source tree by introducing a replacement function that requires explicit buffer sizes and source lengths. This follows an earlier effort to remove strncpy calls, which were judged problematic because they can avoid null-terminating or pad buffers unnecessarily. The new function, shown in the post as curlx_strcopy, accepts destination pointer, destination size, source pointer and source length; it asserts the source fits, then performs the copy with memcpy and writes a terminating NUL when there is room, or writes an empty string when there is not. The change aims to keep size checks adjacent to the copy operation so they cannot drift apart during long-term maintenance. The post also notes a secondary benefit: fewer opportunities for automated tools and chatbots to flag strcpy in curl as an insecure pattern.
Why it matters
- Tightening copy semantics reduces the chance that buffer-size checks and the copy call will become separated during future edits, lowering maintenance risk.
- Requiring explicit destination size and source length makes each copy decision more explicit and verifiable in code reviews.
- Using memcpy plus an explicit null terminator removes strncpy’s corner-case behavior where the destination might not be NUL-terminated or get padded.
- The change may reduce low-quality automated vulnerability reports that focus on the mere presence of strcpy in source code.
Key facts
- Source: blog post by Daniel Stenberg, dated December 29, 2025.
- curl previously removed all uses of strncpy from its code base.
- The project introduced curlx_strcopy(dest, dsize, src, slen) to replace strcpy calls.
- The replacement asserts slen < dsize, copies slen bytes with memcpy, and writes a NUL terminator when space permits.
- If the source length does not fit, the function writes a NUL at dest[0] when dsize is nonzero.
- The change lets the project ban strcpy from the code base similarly to how strncpy was removed.
- The post includes references to density charts for strncpy and strcpy usage over time (specific data not detailed in the post).
- Author suggests the replacement is more verbose to use but offers better oversight for correctness.
What to watch next
- Whether the curl maintainers will retroactively replace all remaining strcpy occurrences across releases: not confirmed in the source.
- If this pattern (explicit size+length copy wrapper) spreads to other C projects as a recommended practice: not confirmed in the source.
- How the change affects code churn and reviewer workload over time — the author proposes revisiting in a decade: not confirmed in the source.
Quick glossary
- strcpy: A C standard library function that copies a NUL-terminated source string into a destination buffer without taking the destination size as an argument.
- strncpy: A C function that copies up to a given number of bytes from a source to destination but can leave the destination without a terminating NUL and pads with zeros if the source is shorter.
- memcpy: A memory-copy function that copies a specified number of bytes from a source address to a destination address; it does not add a terminating NUL.
- NUL terminator: A zero byte ('') used in C strings to mark the end of a character sequence.
Reader FAQ
Why did curl remove strncpy earlier?
The project judged strncpy’s API problematic because it can avoid NUL-terminating the destination and pads the rest of the target buffer, making it error-prone.
Why replace strcpy with a custom function?
To force size checks to be provided alongside the copy operation so those checks cannot drift apart over time, and to guarantee a NUL-terminated destination only when it fits.
Does this change fix all potential buffer-overflow bugs?
not confirmed in the source
Will existing code using strcpy need manual updates?
not confirmed in the source
CURL AND LIBCURL NO STRCPY EITHER DECEMBER 29, 2025 DANIEL STENBERG LEAVE A COMMENT Some time ago I mentioned that we went through the curl source code and eventually got…
Sources
- No strcpy either
- Curl removes all calls to strcpy | Lobsters
- daniel:// stenberg://: "strncpy has been banned comple…"
- December 29, 2025 – Daniel Stenberg – Haxx
Related posts
- Times New American: State Department’s Typeface Swap and Its Meaning
- curl bans strcpy too, replacing it with a checked memcpy-based curlx_strcopy helper
- loss32: Building a Linux desktop centered on Win32 applications via WINE