A string literal is a sequence of zero or more multibyte characters enclosed in double quotes ("xyz"
, for example). A wide string literal is the same, except prefixed by the letter 'L' (L"xyz"
, for example).
At compile time, string literals are used to create an array of static storage duration of sufficient length to contain the character sequence and a null-termination character. It is unspecified whether these arrays are distinct. The behavior is undefined if a program attempts to modify string literals but frequently results in an access violation, as string literals are typically stored in read-only memory.
Do not attempt to modify a string literal. Use a named array of characters to obtain a modifiable string.
Noncompliant Code Example
In this noncompliant code example, the char
pointer p
is initialized to the address of a string literal. Attempting to modify the string literal results in undefined behavior.
char *p = "string literal"; p[0] = 'S';
Compliant Solution
As an array initializer, a string literal specifies the initial values of characters in an array as well as the size of the array (see STR36-C. Do not specify the bound of a character array initialized with a string literal). This code creates a copy of the string literal in the space allocated to the character array a
. The string stored in a
can be safely modified.
char a[] = "string literal"; a[0] = 'S';
Noncompliant Code Example
In this noncompliant example, the mktemp()
function modifies its string argument.
mktemp("/tmp/edXXXXXX");
Compliant Solution
Instead of passing a string literal, use a named array:
static char fname[] = "/tmp/edXXXXXX"; mktemp(fname);
Risk Assessment
Modifying string literals can lead to abnormal program termination and possibly denial-of-service attacks.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR30-C |
low |
likely |
low |
P9 |
L2 |
Automated Detection
The LDRA tool suite V 7.6.0 can detect violations of this rule.
Splint Version 3.1.1 can detect violations of this rule.
Compass/ROSE can detect simple violations of this rule.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as STR30-CPP. Do not attempt to modify string literals.
References
[[ISO/IEC 9899:1999]] Section 6.4.5, "String literals"
[[Summit 95]] comp.lang.c FAQ list - Question 1.32
[[Plum 91]] Topic 1.26, "strings - string literals"