#ifndef _NTSTRSAFE_H_INCLUDED_
#ifndef NTSTRSAFE_LIB_IMPL
#ifndef NTSTRSAFE_NO_UNICODE_STRING_FUNCTIONS
#ifndef NTSTRSAFE_NO_CB_FUNCTIONS

/*++

  NTSTATUS
  RtlUnicodeStringCbCatStringNEx(
  _Inout_                PUNICODE_STRING DestinationString   OPTIONAL,
  _In_   LPCTSTR         pszSrc              OPTIONAL,
  _In_                   size_t          cbToAppend,
  _Out_opt_              PUNICODE_STRING RemainingString     OPTIONAL,
  _In_                   DWORD           dwFlags
  );

  Routine Description:

  This routine is a safer version of the C built-in function 'strncat', with
  some additional parameters and for PUNICODE_STRINGs. In addition to the
  functionality provided by RtlUnicodeStringCbCatStringN, this routine
  also returns a PUNICODE_STRING which points to the end of the destination
  string. The flags parameter allows additional controls.

Arguments:

DestinationString   -   pointer to the counted unicode destination string

pszSrc              -   source string

cbToAppend          -   maximum number of bytes to append

RemainingString     -   if RemainingString is non-null, the function will format
the pointer with the remaining buffer and number of
bytes left in the destination string

dwFlags             -   controls some details of the string copy:

STRSAFE_FILL_BEHIND
if the function succeeds, the low byte of dwFlags will be
used to fill the uninitialize part of destination buffer

STRSAFE_IGNORE_NULLS
do not fault if DestinationString is null and treat NULL pszSrc like
empty strings (L""). This flag is useful for emulating
functions like lstrcpy

STRSAFE_FILL_ON_FAILURE
if the function fails, the low byte of dwFlags will be
used to fill all of the destination buffer. This will
overwrite any truncated string returned when the failure is
STATUS_BUFFER_OVERFLOW

STRSAFE_ZERO_LENGTH_ON_FAILURE
if the function fails, the destination Length will be set
to zero. This will overwrite any truncated string
returned when the failure is STATUS_BUFFER_OVERFLOW.

STRSAFE_NO_TRUNCATION
if the function returns STATUS_BUFFER_OVERFLOW, pszDest
will not contain a truncated string, it will remain unchanged.

Notes:
Behavior is undefined if source and destination strings overlap.

DestinationString and pszSrc should not be NULL unless the STRSAFE_IGNORE_NULLS flag
is specified.  If STRSAFE_IGNORE_NULLS is passed, both DestinationString and pszSrc
may be NULL.  An error may still be returned even though NULLS are ignored
due to insufficient space.

Return Value:

STATUS_SUCCESS -   if all of pszSrc or the first cbToAppend bytes were
concatenated to pszDest

failure        -   the operation did not succeed

STATUS_BUFFER_OVERFLOW
Note: This status has the severity class Warning - IRPs completed with this
status do have their data copied back to user mode
-   this return value is an indication that the
operation failed due to insufficient space. When this
error occurs, the destination buffer is modified to
contain a truncated version of the ideal result.
This is useful for situations where truncation is ok.

It is strongly recommended to use the NT_SUCCESS() macro to test the
return value of this function

--*/

NTSTRSAFEDDI
RtlUnicodeStringCbCatStringNEx(
        _Inout_ PUNICODE_STRING DestinationString,
        _In_ NTSTRSAFE_PCWSTR pszSrc,
        _In_ size_t cbToAppend,
        _Out_opt_ PUNICODE_STRING RemainingString,
        _In_ DWORD dwFlags)
{
    NTSTATUS status;
    wchar_t* pszDest;
    size_t cchDest;
    size_t cchDestLength;

    status = RtlUnicodeStringValidateDestWorker(DestinationString,
            &pszDest,
            &cchDest,
            &cchDestLength,
            NTSTRSAFE_UNICODE_STRING_MAX_CCH,
            dwFlags);

    if (NT_SUCCESS(status))
    {
        wchar_t* pszDestEnd = pszDest + cchDestLength;
        size_t cchRemaining = cchDest - cchDestLength;
        size_t cchNewDestLength = cchDestLength;
        size_t cchToAppend = cbToAppend / sizeof(wchar_t);

        status = RtlStringExValidateSrcW(&pszSrc, &cchToAppend, NTSTRSAFE_UNICODE_STRING_MAX_CCH, dwFlags);

        if (NT_SUCCESS(status))
        {
            if (dwFlags & (~STRSAFE_UNICODE_STRING_VALID_FLAGS))
            {
                status = STATUS_INVALID_PARAMETER;
            }
            else if (cchRemaining == 0)
            {
                // only fail if there was actually src data to append
                if ((cchToAppend != 0) && (*pszSrc != L'\0'))
                {
                    if (pszDest == NULL)
                    {
                        status = STATUS_INVALID_PARAMETER;
                    }
                    else
                    {
                        status = STATUS_BUFFER_OVERFLOW;
                    }
                }
            }
            else
            {
                size_t cchCopied = 0;

                status = RtlWideCharArrayCopyStringWorker(pszDestEnd,
                        cchRemaining,
                        &cchCopied,
                        pszSrc,
                        cchToAppend);

                pszDestEnd = pszDestEnd + cchCopied;
                cchRemaining = cchRemaining - cchCopied;

                cchNewDestLength = cchDestLength + cchCopied;

                if (NT_SUCCESS(status)              &&
                        (dwFlags & STRSAFE_FILL_BEHIND) &&
                        (cchRemaining != 0))
                {
                    // handle the STRSAFE_FILL_BEHIND flag
                    RtlUnicodeStringExHandleFill(pszDestEnd, cchRemaining, dwFlags);
                }
            }
        }

        if (!NT_SUCCESS(status)                                                                                      &&
                (dwFlags & (STRSAFE_NO_TRUNCATION | STRSAFE_FILL_ON_FAILURE | STRSAFE_ZERO_LENGTH_ON_FAILURE))  &&
                (cchDest != 0))
        {
            // handle the STRSAFE_NO_TRUNCATION, STRSAFE_FILL_ON_FAILURE, and STRSAFE_ZERO_LENGTH_ON_FAILURE flags
            RtlUnicodeStringExHandleOtherFlags(pszDest,
                    cchDest,
                    cchDestLength,
                    &cchNewDestLength,
                    &pszDestEnd,
                    &cchRemaining,
                    dwFlags);
        }

        if (DestinationString)
        {
            // safe to multiply cchNewDestLength * sizeof(wchar_t) since cchDest < NTSTRSAFE_UNICODE_STRING_MAX_CCH and sizeof(wchar_t) is 2
            DestinationString->Length = (USHORT)(cchNewDestLength * sizeof(wchar_t));
        }

        if (NT_SUCCESS(status) || (status == STATUS_BUFFER_OVERFLOW))
        {
            if (RemainingString)
            {
                RemainingString->Length = 0;
                // safe to multiply cchRemaining * sizeof(wchar_t) since cchRemaining < NTSTRSAFE_UNICODE_STRING_MAX_CCH and sizeof(wchar_t) is 2
                RemainingString->MaximumLength = (USHORT)(cchRemaining * sizeof(wchar_t));
                RemainingString->Buffer = pszDestEnd;
            }
        }
    }

    return status;
}

#endif
#endif
#endif
#endif
View code on GitHub

// ntstrsafe.h

NTSTRSAFEDDI RtlUnicodeStringCbCatStringNEx(
  [in, out]       PUNICODE_STRING  DestinationString,
  [in]            NTSTRSAFE_PCWSTR pszSrc,
  [in]            size_t           cbToAppend,
  [out, optional] PUNICODE_STRING  RemainingString,
  [in]            DWORD            dwFlags
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntstrsafe-rtlunicodestringcbcatstringnex)

RtlUnicodeStringCbCatStringNEx function

Description

The RtlUnicodeStringCbCatStringNEx function concatenates two strings when the destination string is contained in a UNICODE_STRING structure, while limiting the size of the appended string.

Parameters

`DestinationString` [in, out]

Optional. A pointer to a UNICODE_STRING structure. This structure includes a buffer that, on input, contains a destination string to which the source string will be concatenated. On output, this buffer is the destination buffer that contains the entire resultant string. The source string (excluding the terminating null) is added to the end of the destination string. The maximum number of bytes in the structure's string buffer is NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR). DestinationString can be NULL, but only if STRSAFE_IGNORE_NULLS is set in dwFlags.

`pszSrc` [in]

A caller-supplied pointer to a null-terminated string. This string will be concatenated to the end of the string that is contained in the UNICODE_STRING structure that DestinationString points to. pszSrc can be NULL, but only if STRSAFE_IGNORE_NULLS is set in dwFlags.

`cbToAppend` [in]

The maximum number of bytes to append to the string that the DestinationString parameter describes.

`RemainingString` [out, optional]

Optional. If the caller supplies a non-NULL pointer to a UNICODE_STRING structure, the function sets this structure's Buffer member to the end of the concatenated string, sets the structure's Length member to zero, and sets the structure's MaximumLength member to the number of bytes that are remaining in the destination buffer. RemainingString can be NULL, but only if STRSAFE_IGNORE_NULLS is set in dwFlags.

`dwFlags` [in]

One or more flags and, optionally, a fill byte. The flags are defined as follows:

Value	Meaning
STRSAFE_FILL_BEHIND	If this flag is set and the function succeeds, the low byte of dwFlags is used to fill the portion of the destination buffer that follows the last character in the string.
STRSAFE_IGNORE_NULLS	If this flag is set, the source or destination pointer, or both, can be NULL. RtlUnicodeStringCbCatStringNEx treats NULL source buffer pointers like empty strings (TEXT("")), which can be copied. NULL destination buffer pointers cannot receive nonempty strings.
STRSAFE_FILL_ON_FAILURE	If this flag is set and the function fails, the low byte of dwFlags is used to fill the entire destination buffer. This operation overwrites any preexisting buffer contents.
STRSAFE_NULL_ON_FAILURE	If this flag is set and the function fails, the destination buffer is set to an empty string (TEXT("")). This operation overwrites any preexisting buffer contents.
STRSAFE_NO_TRUNCATION	If this flag is set and the function returns STATUS_BUFFER_OVERFLOW: * If STRSAFE_FILL_ON_FAILURE is also specified, STRSAFE_NO_TRUNCATION fills the destination buffer accordingly. * Otherwise, the destination buffer will be unmodified.
STRSAFE_ZERO_LENGTH_ON_FAILURE	If this flag is set and the function returns STATUS_BUFFER_OVERFLOW, the destination string length is set to zero bytes.

Return value

RtlUnicodeStringCbCatStringNEx returns one of the following NTSTATUS values.

Return code	Description
STATUS_SUCCESS	This success status means source data was present, and the strings were concatenated without truncation.
STATUS_BUFFER_OVERFLOW	This warning status means that the concatenated operation did not complete because of insufficient space in the destination buffer. If STRSAFE_NO_TRUNCATION is set, see the dwFlags parameter for more information.
STATUS_INVALID_PARAMETER	This error status means that the function received an invalid input parameter. For more information, see the following list.

RtlUnicodeStringCbCatStringNEx returns the STATUS_INVALID_PARAMETER value when one of the following occurs:

The contents of a UNICODE_STRING structure are invalid.
An invalid flag is specified in dwFlags.
The destination buffer is already full.
A buffer pointer is NULL and the STRSAFE_IGNORE_NULLS flag is not specified.
The destination buffer pointer is NULL, but the buffer size is not zero.
The destination buffer pointer is NULL, or its length is zero, but a nonzero length source string is present.
The cbToAppend parameter's value is greater than NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR).

For information about how to test NTSTATUS values, see Using NTSTATUS Values.

Remarks

The RtlUnicodeStringCbCatStringNEx function uses the destination buffer's size to ensure that the concatenation operation does not write past the end of the buffer. By default, the function does not terminate the resultant string with a null character value (that is, with zero). As an option, the caller can use the STRSAFE_FILL_BEHIND flag and a fill byte value of zero to null-terminate a resultant string that does not occupy the entire destination buffer.

RtlUnicodeStringCbCatStringNEx adds to the functionality of the RtlUnicodeStringCbCatStringN function by returning a UNICODE_STRING structure that identifies the end of the destination string and the number of bytes that are left unused in that string. You can pass flags to RtlUnicodeStringCbCatStringNEx for additional control.

If the source and destination strings overlap, the behavior of the function is undefined.

The pszSrc and DestinationString pointers cannot be NULL unless the STRSAFE_IGNORE_NULLS flag is set in dwFlags. If STRSAFE_IGNORE_NULLS is set, one or both of these pointers can be NULL. If the DestinationString pointer is NULL, the pszSrc pointer must be NULL or point to an empty string.

For more information about the safe string functions, see Using safe string functions.

RtlUnicodeStringCbCatStringNEx - NtDoc

NtDoc

Windows Driver Kit DDI reference (nf-ntstrsafe-rtlunicodestringcbcatstringnex)

RtlUnicodeStringCbCatStringNEx function

Description

Parameters

`DestinationString` [in, out]

`pszSrc` [in]

`cbToAppend` [in]

`RemainingString` [out, optional]

`dwFlags` [in]

Return value

Remarks

See also

NtDoc

Windows Driver Kit DDI reference (nf-ntstrsafe-rtlunicodestringcbcatstringnex)

RtlUnicodeStringCbCatStringNEx function

Description

Parameters

DestinationString [in, out]

pszSrc [in]

cbToAppend [in]

RemainingString [out, optional]

dwFlags [in]

Return value

Remarks

See also

`DestinationString` [in, out]

`pszSrc` [in]

`cbToAppend` [in]

`RemainingString` [out, optional]

`dwFlags` [in]