Page History

Dynamical allocation is often disallowed in safety critical systems.  For example, the MISRA standard includes Rule 20.4 that requires that "Dynamic heap memory allocation shall not be used" \[[MISRA 04|AA. C References#MISRA 04]\].  Some safety critical systems can take advantage of dynamic memory allocation during initialization, but not during operations.  For example, avionics software may dynamically allocate memory while initializing the aircraft, but not during flight.  

There are a number of existing libraries available for managing string data; the library selected depends on the overall approach adopted for managing NULLnull-terminated byte strings.  The functions defined by C99 Section 7.21, "String handling <string.h>" \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] are primarily intended for managing statically allocated strings.  However, these functions are problematic because many of the functions failare to account for the size of the destination arrayinsufficiently bounded.  Consequently, this standard recommends use of the ISO/IEC TR 24731-1 \[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\] functions for whenuse usingwith statically allocated arrays (see [STR07-A. Use TR 24731 for remediation of existing string manipulation code]).  These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.

ISO/IEC TR 24731 Part II (24731-2, in progress) offeroffers another approach, supplying functions that allocate enough memory for their results \[[ISO/IEC WDTR 24731-2|AA. C References#ISO/IEC WDTR 24731-2]\]. ISO/IEC TR 24731 Part II provides an API that dynamically allocates the results of string functions as needed. This TR includes a number of POSIX functions  POSIX functions such as {{strdup()}} as well as functions from the Linux Standard Base Core Specification such as {{asprintf()}} \[[Free Standards Group 2005|AA. C References#Free Standards Group 2005]\]. 

Another library that uses dynamic allocation is the CERT managed string library.  The managed string library described in \[[Burch 06|AA. C References#Burch06]\] was developed in response to the need for a string library that could improve the quality and security of newly developed C language programs while eliminating obstacles to widespread adoption and possible standardization. The managed string

 library eliminates the possibility of unbounded copies, null-termination errors, and truncation by ensuring there is always adequate space available for the resulting string (including the terminating null character).  The primary advantage of the CERT managed string library, is that the source code is freely available so that the library can be adopted and customized as required by an organization.  

String handling functions defined in C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable [vulnerabilities|BB. Definitions#vulnerability]. Managed strings, when used properly, can eliminate many of these errors, particularly in new development.

\[[Burch 06|AA. C References#Burch06]\]
\[[CERT 06c|AA. C References#CERT 06c]\]
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21, "String handling <string.h>"
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 20.4 
\[[Seacord 05a|AA. C References#Seacord 05a]\] Chapter 2, "Strings"
\[[ISO/IEC WDTR 24731-2|AA. C References#ISO/IEC WDTR 24731-2]\] [Extensions to the C Library, — Part II: Dynamic Allocation Functions|http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1248.pdf]. August, 2007.
\[[Free Standards Group 2005|AA. C References#Free Standards Group 2005]\] [Linux Standard Base Core Specification 3.1|http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic.pdf]. Free Standards Group. 2005