lib/59540: strlcpy(3) has an off-by-one in the manual page

[rwhitlock22%gmail.com@localhost]

>Number:         59540
>Category:       lib
>Synopsis:       strlcpy(3) has an off-by-one in the manual page
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 21 19:00:00 +0000 2025
>Originator:     Robert Whitlock
>Release:        NetBSD current, 10.99.14, July 11, 2025
>Organization:
>Environment:
see above
>Description:
strlcpy(3) claims that strlcpy leaves bytes past dst[strlen(src) + 1] uninitialized, when it would be more precise to say that it leaves bytes past dst[strlen(src)] uninitialized. This can be easily seen by considering the case where src is the empty string "". Then strlen(src) == 0 and dst[strlen(src) + 1] == dst[1], which is one past the terminating NUL byte that is there when strlcpy has finished. The first byte past dst[1] is then the second byte past the NUL terminating byte.

The patch also includes a minor formatting fix.
>How-To-Repeat:
man strlcpy
>Fix:
Index: strlcpy.3
===================================================================
RCS file: /cvsroot/src/lib/libc/string/strlcpy.3,v
retrieving revision 1.25
diff -u -r1.25 strlcpy.3
--- strlcpy.3	2 Apr 2025 00:50:19 -0000	1.25
+++ strlcpy.3	21 Jul 2025 18:18:15 -0000
@@ -79,7 +79,7 @@
 then the
 .Fn strlcat
 function returns
-.Fa size + Fn strlen src
+.Fa size Li + Fn strlen src
 without writing anything to
 .Fa dst .
 .Pp
@@ -146,11 +146,11 @@
 \(em
 .Fn strlcpy
 leaves bytes past
-.Fa dst Ns Li "[" Fn strlen src Li "+ 1" Ns Li "]"
+.Fa dst Ns Li "[" Fn strlen src Ns Li "]"
 uninitialized, and
 .Fn strlcat
 leaves bytes past
-.Fa dst Ns Li "[" Fn strlen dst Li + Fn strlen src Li + 1 Ns Li "]"
+.Fa dst Ns Li "[" Fn strlen dst Li + Fn strlen src Ns Li "]"
 uninitialized.
 This can lead to security vulnerabilities such as leaking secrets from
 uninitialized stack or heap buffers.