SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 56

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

String literals are The type of a narrow string literal is an array of char, and the type of a wide string literal is an array of wchar_t. However, string literals (of both types) are notionally constant and should consequently be protected by const qualification. This recommendation is a specialization of DCL00-AC. Const-qualify immutable objects and also supports rule STR30-C. Do not attempt to modify string literals.

Adding const qualification may propagate through a program; as you add const qualifiers are added, still more become necessary. This phenomenon is sometimes called " const-poisoning. " Const-poisoning can frequently lead to violations of EXP05-AC. Do not cast away a const qualification. While  Although const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.

...

Noncompliant Code Example (Narrow String Literal)

In the following non-compliant codethis noncompliant code example, the const keyword has been omitted.:

Code Block
bgColor#FFcccc
langc

char *c = "Hello";

...

If   a   statement   such   as  {{c\[0\]   =   'C'}}  were   placed   following   the  above declaration, the code is likely to compile cleanly, but the result of the assignment is undefined as string literals are considered declaration in the noncompliant code example, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.
Compliant Solution (
...
Immutable Strings)
In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempts attempt to assign them to different values is an error.:
 Code Block
bgColor#ccccFF
langc

const char *c = "Hello";

Compliant Solution (
...
Mutable Strings)
In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array which that has been initialized using the contents of the corresponding string literal.:
 Code Block
bgColor#ccccFF
langc

char c[] = "Hello";

 Wiki MarkupConsequently,   a   statement   such   as  {{c\[0\] = 'C'}} is valid and behaves as ] = 'C' is valid and behaves as expected.
Noncompliant Code Example (Wide String Literal)
In this noncompliant code example, the const keyword has been omitted:
 Code Block
bgColor#FFcccc
langc
wchar_t *c = L"Hello";

If a statement such as c[0] = L'C' were placed following this declaration, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.
Compliant Solution (Immutable Strings)
In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempt to assign them to different values is an error:
 Code Block
bgColor#ccccFF
langc
wchar_t const *c = L"Hello";

Compliant Solution (Mutable Strings)
In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable wchar_t array that has been initialized using the contents of the corresponding string literal:
 Code Block
bgColor#ccccFF
langc
wchar_t c[] = L"Hello";

Consequently, a statement such as c[0] = L'C' is valid and behaves as expected.
Risk Assessment
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Recommendation
Severity
Likelihood
Remediation Cost
Priority
Level
STR05-
A 
C
 low 
Low
 unlikely 
Unlikely
 high 
Low
 P1 
P3
 L1 
L3
Automated Detection
...
Tool
Version
Checker
Description
Astrée
 Include Page
Astrée_V
Astrée_V
literal-assignment
Fully checked
Axivion Bauhaus Suite
 Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V
CertC-STR05
Clang
 Include Page
Clang_V
Clang_V
-Wwrite-stringsNot enabled by -Weverything
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
LANG.TYPE.NCSNon-const string literal
Compass/ROSE



ECLAIR
 Include Page
ECLAIR_V
ECLAIR_V
CC2.STR05
Fully implemented
GCC
 Include Page
GCC_V
GCC_V
-Wwrite-strings
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C0752, C0753
Klocwork
 Include Page
Klocwork_V
Klocwork_V
MISRA.STRING_LITERAL.NON_CONST.2012
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
623 S
Fully implemented
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-STR05-a
A string literal shall not be modified
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
1776
Fully supported
RuleChecker
 Include Page
RuleChecker_V
RuleChecker_V
literal-assignmentFully checked
Related Vulnerabilities
Search for 
The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References:
 Wiki Markup
\[[Corfield 93|AA. C References#Corfield 93]\]
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.8, "Initialization"
\[[Lockheed Martin 2005|AA. C References#Lockheed Martin 05]\] AV Rule 151.1
Bibliography
[Corfield 1993]
[Lockheed Martin 2005]  AV Rule 151.1

...
Image Added Image Added Image AddedSTR04-A. Use plain char for character data      07. Characters and Strings (STR)       STR06-A. Do not assume that strtok() leaves the parse string unchanged