SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 68

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 69

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider v2.4 (sch jbop) (X_X)@==(Q_Q)@

...

Adding const qualification may propagate through a program; as you add const qualifiers, still more become necessary. This phenomenon is sometimes called "const-poisoning." Const-poisoning can frequently lead to violations of EXP05-C. Do not cast away a const qualification. While const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.

...

Noncompliant Code Example (narrow string literal)

In the following non-compliant noncompliant code, the const keyword has been omitted.

...

Wiki Markup
If a statement such as {{c\[0\] = 'C'}} were placed following the above declaration, the code is likely to compile cleanly, but the result of the assignment is undefined as string literals are considered constant.

Compliant Solution (immutable strings)

In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempts to assign them to different values is an error.

Code Block
bgColor#ccccFF
const char const *c = "Hello";

Compliant Solution (mutable strings)

In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array which has been initialized using the contents of the corresponding string literal.

...

Wiki Markup
Consequently, a statement such as {{c\[0\] = 'C'}} is valid and behaves as expected.

...

Noncompliant Code Example (wide string literal)

In the following non-compliant noncompliant code, the const keyword has been omitted.

...

Wiki Markup
If a statement such as {{c\[0\] = L'C'}} were placed following the above declaration, the code is likely to compile cleanly, but the result of the assignment is undefined as string literals are considered constant.

Compliant Solution (immutable strings)

In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempts to assign them to different values is an error.

Code Block
bgColor#ccccFF
wchar_t const *c = L"Hello";

Compliant Solution (mutable strings)

In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array which has been initialized using the contents of the corresponding string literal.

...

Wiki Markup
Consequently, a statement such as {{c\[0\] = L'C'}} is valid and behaves as expected.

Risk Assessment

Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR05-A C

low

unlikely

low

P3

L3

Automated Detection

The LDRA tool suite V 7.6.0 is able to can detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References:

Wiki Markup
\[[Corfield 93|AA. C References#Corfield 93]\]
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.8, "Initialization"
\[[Lockheed Martin 2005|AA. C References#Lockheed Martin 05]\] AV Rule 151.1

...

      07. Characters and Strings (STR)       STR06-A. Do not assume that strtok() leaves the parse string unchanged Image Added