SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 44 Next »

A string literal is a sequence of zero or more multibyte characters enclosed in double quotes ("xyz", for example). A wide string literal is the same, except prefixed by the letter 'L' (L"xyz", for example).

At compile time, string literals are used to create an array of static storage duration of sufficient length to contain the character sequence and a null-termination character. It is unspecified whether these arrays are distinct. The behavior is undefined if a program attempts to modify string literals but frequently results in an access violation, as string literals are typically stored in read-only memory.

Do not attempt to modify a string literal. Use a named array of characters to obtain a modifiable string.

Noncompliant Code Example

In this noncompliant code example, the char pointer p is initialized to the address of a string literal. Attempting to modify the string literal results in undefined behavior.

char *p  = "string literal";
p[0] = 'S';

Compliant Solution

As an array initializer, a string literal specifies the initial values of characters in an array as well as the size of the array (see STR36-C. Do not specify the bound of a character array initialized with a string literal). This code creates a copy of the string literal in the space allocated to the character array a. The string stored in a can be safely modified.

char a[] = "string literal";
a[0] = 'S';

Noncompliant Code Example

In this noncompliant example, the mktemp() function modifies its string argument.

mktemp("/tmp/edXXXXXX");

Compliant Solution

Instead of passing a string literal, use a named array:

static char fname[] = "/tmp/edXXXXXX";

mktemp(fname);

Risk Assessment

Modifying string literals can lead to abnormal program termination and possibly denial-of-service attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR30-C

low

likely

low

P9

L2

Automated Detection

The LDRA tool suite V 7.6.0 can detect violations of this rule.

Splint Version 3.1.1 can detect violations of this rule.

Compass/ROSE can detect simple violations of this rule.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as STR30-CPP. Do not attempt to modify string literals.

References

[[ISO/IEC 9899:1999]] Section 6.4.5, "String literals"
[[Summit 95]] comp.lang.c FAQ list - Question 1.32
[[Plum 91]] Topic 1.26, "strings - string literals"

STR07-C. Use TR 24731 for remediation of existing string manipulation code      07. Characters and Strings (STR)      

  • No labels