SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

String literals are constant and should thus should be protected by the const qualification. This recommendation supports rule STR30-C.

Non-Compliant Code Example

In the following non-compliant code, the const keyword has been omitted.

char *c = "Hello";

If a statement such as c[0] = 'C' were placed following the above declaration, the code would likely still compile cleanly, but the result of the assignment is undefined as string literals are considered constant.

Compliant Solution 1

In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempts to assign them to different values is an error. 

char const *c = "Hello";

Compliant Solution 2

In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array which has been initialized using the contents of the corresponding string literal.

char c[] = "Hello";

Thus, a statement such as c[0] = 'C' is valid and will do what is expected.

Non-Compliant Code Example 1

Although this code example is not compliant with the C99 Standard, it executes correctly if the contents of CMUfullname are not modified.

char *CMUfullname = "Carnegie Mellon University";

/* Get school from user input and validate */

if (strcmp(school, "CMU")) {
    school = CMUfullname;
}

Non-Compliant Code Example 2

Adding in the const keyword will likely generate a compiler warning, as the assignment of CMUfullname to school discards the const qualifier. Any modifications to the contents of school after this assignment will lead to errors.

char const *CMUfullname = "Carnegie Mellon University";

/* Get school from user input and validate */

if (strcmp(school, "CMU")) {
    school = CMUfullname;
}

Compliant Solution

The compliant solution uses the const keyword to protect the string literal, as well as using strcpy() to copy the value of CMUfullname into school, allowing future modification of school.

char const *CMUfullname = "Carnegie Mellon University";

/* Get school from user input and validate */

if (strcmp(school, "CMU")) {
    /* Allocate correct amount of space for copy */
    strcpy(school, CMUfullname);
}

Risk Assessment

Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR05-A

1 (low)

3 (likely)

2(medium)

P6

L2

References:

http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1993/N0389.asc
[[ISO/IEC 9899-1999:TC2]] Section 6.7.8, "Initialization"
[Lockheed Martin 2005] Lockheed Martin. Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001, Rev C. December 2005.     AV Rule 151.1

  • No labels