...
A better approach is to not specify the bound of a string initialized with a string literal because the compiler will automatically allocate sufficient space for the entire string literal, including the terminating null character. This rule is a specific exception to guideline recommendation ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer.
...
The size of the array s is three, although the size of the string literal is four. Any subsequent use of the array as a null-terminated byte string can result in a vulnerability, because s is not properly null-terminated. (See guideline rule STR32-C. Null-terminate byte strings as required.)
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: STR36-CPP. Do not specify the bound of a character array initialized with a string literal
ISO/IEC 9899:1999 Section 6.7.8, "Initialization"
ISO/IEC TR 24772 "CJM String Termination"
Bibliography
| Wiki Markup |
|---|
\[[ECTC 1998|AA. Bibliography#ECTC 98]\] A.8, "Character array initialization"
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.7.8, "Initialization"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "CJM String Termination"
\[[Seacord 2005a|AA. Bibliography#Seacord 05a]\] Chapter 2, "Strings" |
...