The type of a narrow string literal is an array of char
, and the type of a wide string literal is an array of wchar_t
. However, string literals (of both types) are notionally constant and should consequently be protected by const
qualification. This recommendation is a specialization of DCL00-C. Const-qualify immutable objects and also supports STR30-C. Do not attempt to modify string literals.
Adding const
qualification may propagate through a program; as you add const
qualifiers, still more become necessary. This phenomenon is sometimes called const-poisoning. Const-poisoning can frequently lead to violations of EXP05-C. Do not cast away a const qualification. Although const
qualification is a good idea, the costs may outweigh the value in the remediation of existing code.
...
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR05-C | low | unlikely | low | P3 | L3 |
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
| 157 S | Partially implemented | |||||||
Compass/ROSE |
|
|
| ||||||
PRQA QA-C |
| 0752 0753 | Partially implemented |
Related Vulnerabilities
...
ISO/IEC 9899:2011 Section 6.7.9, "Initialization"
Bibliography
[Corfield 1993]
[Lockheed Martin 2005] AV Rule 151.1
...