The three types char
, signed char
, and unsigned char
are collectively called the character types. Compilers have the latitude to define char
to have the same range, representation, and behavior as either signed char
or unsigned char
. Irrespective of the choice made, char
is a separate type from the other two and is not compatible with either.
For characters in the basic character set, it doesn't matter which data type is used, except for type compatibility. Consequently, it is best to use plain char
for character data for compatibility with standard string handling functions.
In most cases, the only portable operators on plain char
types are assignment and equality operators (=
, ==
, !=
). An exception is the translation to and from digits. For example, if the char
c
is a digit, c - '0'
is a value between 0 and 9.
Noncompliant Code Example
The following noncompliant code example simply shows calling the standard string handling function strlen()
with a plain character string, a signed character string, and an unsigned character string. The strlen()
functions takes a single argument of type const char
*.
size_t len; char cstr[] = "char string"; signed char scstr[] = "signed char string"; unsigned char ucstr[] = "unsigned char string"; len = strlen(cstr); len = strlen(scstr); /* warns when char is unsigned */ len = strlen(ucstr); /* warns when char is signed */
Compiling at high warning levels in compliance with MSC00-C. Compile cleanly at high warning levels causes warnings to be issued when converting from unsigned char[]
to const char *
when char
is signed and from signed char[]
to const char *
when char
is defined to be unsigned. Casts are required to eliminate these warnings, but excessive casts can make code difficult to read and hide legitimate warning messages.
If this C code were compiled using a C++ compiler, conversions from unsigned char[]
to const char *
and from signed char[]
to const char *
would be flagged as errors requiring casts.
Compliant Solution
The compliant solution uses plain char
for character data.
size_t len; char cstr[] = "char string"; len = strlen(cstr);
Conversions are not required and the code compiles cleanly at high warning levels without casts.
Risk Assessment
Failing to use plain char
for characters in the basic character set can lead to excessive casts and less effective compiler diagnostics.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR04-C |
low |
unlikely |
low |
P3 |
L3 |
Automated Detection
Fortify SCA Version 5.0 with CERT C Rule Pack can detect violations of this recommendation, except cases involving signed char.
The EDG Front End to Compass Rose can detect violation of this recommendation.
Compass/ROSE can detect violations of this recommendation.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as STR04-CPP. Use plain char for characters in the basic character set.
References
[[ISO/IEC 9899:1999]] Section 6.2.5, "Types"
[[MISRA 04]] Rule 6.1, "The plain char type shall be used only for the storage and use of character values"
STR03-C. Do not inadvertently truncate a null-terminated byte string 07. Characters and Strings (STR)