...
A number of existing libraries are available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by the C standardStandard, Section 7.24 [ISO/IEC 9899:2011], are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends using the ISO/IEC TR 24731-1 [ISO/IEC TR 24731-1:2007] functions with statically allocated arrays. (See STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
| ISO/IEC 23360-1:2006 | |
| ISO/IEC TR 24731-1:2007 | |
| ISO/IEC TR 24731-2:2010 | |
| MISRA-C | Rule 20.4 (required): Dynamic heap memory allocation shall not be used |
Bibliography
| [CERT 2006c] | |
| [Seacord 2005a] | Chapter 2, "Strings" |
...