...
Dynamically allocated buffers dynamically resize as additional memory is required. Dynamic approaches scale better and do not discard excess data. The major disadvantage is that, if inputs are not limited, they can exhaust memory on a machine and, consequently, be used in denial-of-service attacks.
Wiki Markup
Wiki Markup string.h}}>" \ [[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999] \] are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends use of the ISO/IEC TR 24731-1 \ [[ISO/IEC TR 24731-1:2007|AA. Bibliography#ISO/IEC TR 24731-1-2007]\] functions for use with statically allocated arrays. (See recommendation [STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code].) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.Wiki Markup
ISO/IEC TR 24731-2 (in progress) offers another approach, supplying functions that allocate enough memory for their results \[ [ISO/IEC TR 24731-2|AA. Bibliography#ISO/IEC ISO/IEC TR 24731-2]\]. ISO/IEC TR 24731-2 provides an API that dynamically allocates the results of string functions, as needed. Almost all of the APIs in this TR are also in a current International Standard. For example, TR 24731-2 includes POSIX functions, such as {{strdup()}} \[ [ISO/IEC 9945:2003|AA. Bibliography#ISO/IEC 9945-2003]\], as well as functions from the Linux Standard Base Core Specification such as {{asprintf()}} \[ [ISO/IEC 23360-1:2006|AA. Bibliography#ISO/IEC 23360-1-2006]\].
Risk Assessment
Failing to adopt a consistent plan for managing strings within an application can lead to inconsistent decisions, which may make it difficult to ensure system properties, such as adhering to safety requirements.
...
MISRA Rule 20.4
Bibliography
Wiki Markup
[Seacord 2005a] Chapter 2, "Strings"
...