String literals are constant and should only be assigned to constant pointers. This recommendation supports rule STR30-C.
Non-Compliant Code Example
The const
keyword is not included in this declaration.
char *c = "Hello"; /* Bad: assigned to non-const */ c[3] = 'a'; /* Undefined (but compiles) */
Compliant Solution 1
In cases where the string referenced by c
is not meant to be modified, c
should be declared as a const
pointers,
preventing direct manipulation of the contents of the string literals.
char const *c = "Hello"; /* Good */ //c[3] = 'a'; would cause a compile error
Compliant Solution 1
In cases where the string referenced by c
is meant to be modified, use initialization instead of assignment. In this compliant solution, both a
and b
are modifiable char
arrays which have been initialized using the contents of the corresponding string literal.
char a[] = "abc";
The above code is equivalent to:
char a[] = {'a', 'b', 'c', '\0'};
Non-Compliant Code Example 1
Though it is not compliant with the C Standard, this code executes correctly if the contents of CMUfullname
are not modified.
char *CMUfullname = "Carnegie Mellon"; /* get school from user input and validate */ if (strcmp(school,"CMU")) { school = CMUfullname; }
Non-Compliant Code Example 2
Adding in the const
keyword will generate a compiler warning, as the assignment of CMUfullname
to school
discards the const
qualifier. Any modifications to the contents of school
after this assignment will lead to errors.
char const *CMUfullname = "Carnegie Mellon"; /* get school from user input and validate */ if (strcmp(school,"CMU")) { school = CMUfullname; }
Compliant Solution
The compliant solution uses the const
keyword to protect the string literal, as well as using strcpy()
to copy the value of CMUfullname
into school
, allowing future modification of school
.
char const *CMUfullname = "Carnegie Mellon"; /* get school from user input and validate */ if (strcmp(school,"CMU")) { //assuming school is properly allocated strcpy(school, CMUfullname); }
Risk Assessment
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR05-A |
1 (low) |
3 (likely) |
2(medium) |
P6 |
L2 |
References:
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1993/N0389.asc
[[ISO/IEC 9899-1999:TC2]] Section 6.7.8, "Initialization"
[Lockheed Martin 2005] Lockheed Martin. Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001, Rev C. December 2005. AV Rule 151.1