...
| Include Page | ||||
|---|---|---|---|---|
|
Compliant Solution
As an array initializer, a string literal specifies the initial values of characters in an array (as well as the size of the array). This code creates a copy of the string literal in the space allocated to the character array a. The string stored in a can be safely modified.
| Code Block |
|---|
char a[] = "string literal";
a[0] = 'S';
|
Non-Compliant Code Example
In this non-compliant example, the mktemp() function modifies its string argument.
| Code Block |
|---|
mktemp("/tmp/edXXXXXX");
|
Compliant Solution
Instead of passing a string literal, use a named array:
...
(include:STR30 CS 1)
| Include Page | ||||
|---|---|---|---|---|
|
(include:STR30 CS 2)
Priority: P9 Level: L1
Modifying string literals can lead to abnormal program termination and results in undefined behavior that can be used in denial-of-service attacks.
...