...
The improper use of strtok()
is likely to result in truncated data, producing unexpected results later in program execution.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR06-C | Medium | Likely | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| (customization) | Users who wish to avoid using strtok() entirely can add a custom check for all uses of strtok() . | ||||||
Compass/ROSE |
5.0
Can detect violations of this rule with CERT C Rule Pack
Helix QAC |
| C5007 |
LDRA tool suite |
| 602 S | Enhanced Enforcement |
Writing to const qualified object
Modification of internal buffer returned from nonreentrant standard function
Object declared with a const
qualifier is modified
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | VOID STR06-CPP. Do not assume that strtok() leaves the parse string unchanged |
MITRE CWE | CWE-464, Addition of data structure sentinel |
Bibliography
...
...