The C standard allows an array to be initialized using a string literal that fits exactly in the array, not counting the terminating null character. However, this has limited utility and the potential to cause vulnerabilities when a null-terminated byte string is assumed. Consequently, this practice is disallowed by this standard. A better approach is to not specify the dimension of a character array initialized with a string literal, as the compiler will automatically allocate sufficient space for the entire string literal, including the terminating null character.
Initializing an array using a string literal to fit exactly without a null byte is not allowed in C++.
Non-Compliant Code Example
This non-compliant code example initializes an array of characters using a string literal that defines one more character (counting the terminating '\0'
) than the array can hold.
char s[3] = "abc";
The size of the array s
is three, although the size of the string literal is four. Any subsequent use of the array as a null-terminated byte string can result in a vulnerability, because the s
is not properly null-terminated.
Compliant Solution
This compliant solution does not specify the dimension of a character array in the array declaration. By omitting the size, the array will automatically be of appropriate length to store the full string literal.
char s[] = "abc";
This is the preferred approach, because the result of the expectation always can be obtained even if the size of the string literal is changed.
Exceptions
STR36-EX1: If the intention is to create an character array and not a null-terminated byte string, initializing to fit exactly without a null byte is allowed but not recommended. The preferred approach to create an array containing just the three characters, 'a'
, 'b'
, and 'c'
, for example, is to declare each character literal as a separate element as follows:
char s[3] = { 'a', 'b', 'c' };
Risk Assessment
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR36-C |
high |
probable |
low |
P18 |
L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]]
[[Seacord 05a]] Chapter 2, "Strings"
The Embedded C++ Programming Guide Lines. Version WP-GU-003. 6,Jan 1998 by the Embedded C++ Technical Committee A.8 Character array initialization
STR06-A. Do not assume that strtok() leaves the parse string unchanged 07. Characters and Strings (STR)