This is an extension of rule:
STR30-C. Do not attempt to modify string literals
As string literals are constant, they should only be assigned to constant pointers. This recommendation supports rule STR30-C.
Non-Compliant Code Example 1
The const keyword is not included in this declaration.
| Code Block | ||
|---|---|---|
| ||
char* c = "Hello"; // Bad: assigned to non-const c[3] = 'a'; // Undefined (but compiles) |
Compliant Solution 1
If you properly assign string literals to const pointers, the compiler will not allow direct manipulation of the contents.
| Code Block | ||
|---|---|---|
| ||
char const * c = "Hello"; // Good //c[3] = 'a'; would cause a compile error |
Aside
Note that the following code is acceptable, as a and b do not actually point to string literals. They are char array objects which have had characters copied into them, and therefore are modifiable.
...
| Code Block |
|---|
char a[] = {'a', 'b', 'c', '\0'};
char b[] = {'a', 'b', 'c'};
|
Non-Compliant Coding Example 2.a
Though it is not compliant with the C Standard, this code executes correctly if the contents of CMUfullname are not modified.
| Code Block | ||
|---|---|---|
| ||
char* CMUfullname = "Carnegie Mellon";
/* get school from user input and validate */
if (strcmp(school,"CMU")) {
school = CMUfullname;
}
|
Non-Compliant Coding Example 2.b
Adding in the const keyword will generate a compiler warning, as the assignment of CMUfullname to school discards the const qualifier. Any modifications to the contents of school after this assignment will lead to errors.
| Code Block | ||
|---|---|---|
| ||
char const * CMUfullname = "Carnegie Mellon";
/* get school from user input and validate */
if (strcmp(school,"CMU")) {
school = CMUfullname;
}
|
Compliant Solution 2
The compliant solution uses the const keyword to protect the string literal, as well as using strcpy to copy the value of CMUfullname into school, allowing future modification of school.
| Code Block | ||
|---|---|---|
| ||
char const * CMUfullname = "Carnegie Mellon";
/* get school from user input and validate */
if (strcmp(school,"CMU")) {
//assuming school is properly allocated
strcpy(school, CMUfullname);
}
|
Risk Assessment
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR05-A | 1 (low) | 3 (likely) | 2(medium) | P6 | L2 |
References:
| Wiki Markup |
|---|
[http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1993/N0389.asc] \[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 6.7.8, "Initialization" \[Lockheed Martin 2005\] Lockheed Martin. Joint Strike Fighter Air Vehicle C+\+ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001, Rev C. December 2005. AV Rule 151.1 |