String literals are constant and should consequently be protected by the const
qualification. This recommendation supports rule STR30-C. Do not attempt to modify string literals.
Non-Compliant Code Example
In the following non-compliant code, the const
keyword has been omitted.
char *c = "Hello";
If a statement such as c[0] = 'C'
were placed following the above declaration, the code would likely still compile cleanly, but the result of the assignment is undefined as string literals are considered constant.
Compliant Solution 1
In this compliant solution, the characters referred to by the pointer c
are const
-qualified, meaning that any attempts to assign them to different values is an error.
char const *c = "Hello";
Compliant Solution 2
In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c
is a modifiable char
array which has been initialized using the contents of the corresponding string literal.
char c[] = "Hello";
Thus, a statement such as c[0] = 'C'
is valid and will do what is expected.
Non-Compliant Code Example 1
Although this code example is not compliant with the C99 Standard, it executes correctly if the contents of CMUfullname
are not modified.
char *CMUfullname = "Carnegie Mellon University"; char *school; /* Get school from user input and validate */ if (strcmp(school, "CMU")) { school = CMUfullname; }
Non-Compliant Code Example 2
Adding in the const
keyword will likely generate a compiler warning, as the assignment of CMUfullname
to school
discards the const
qualifier. Any modifications to the contents of school
after this assignment will lead to errors.
char const *CMUfullname = "Carnegie Mellon University"; char *school; /* Get school from user input and validate */ if (strcmp(school, "CMU")) { school = CMUfullname; }
Compliant Solution
The compliant solution uses the const
keyword to protect the string literal, as well as using strcpy()
to copy the value of CMUfullname
into school
, allowing future modification of school
.
char const *CMUfullname = "Carnegie Mellon University"; /* Get school from user input and validate */ if (strcmp(school, "CMU")) { /* Allocate correct amount of space for copy */ strcpy(school, CMUfullname); }
Risk Assessment
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR05-A |
1 (low) |
3 (likely) |
2 (medium) |
P6 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References:
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1993/N0389.asc
[[ISO/IEC 9899-1999:TC2]] Section 6.7.8, "Initialization"
[Lockheed Martin 2005] Lockheed Martin. Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001, Rev C. December 2005. AV Rule 151.1