Page History

Do not cast away a const qualification on an object of pointer type. Casting away the const qualification allows a program to modify the object referred to by the pointer, which may result in undefined behavior. See undefined behavior 61 of 64 in Appendix J of the C standard [ISO/IEC 9899:2011].

As an illustration, C99 C provides a footnote (Section 6.7.3, para. 4):

The implementation may place a const object that is not volatile in a read-only region of storage. Moreover, the implementation need not allocate storage for such an object if its address is never used.

...

The remove_spaces() function in this noncompliant code example accepts a pointer to a string str and a string length slen and removes the space character from the string by shifting the remaining characters toward the front of the string. The function remove_spaces() is passed a const char pointer as an argument. The const qualification is cast away, and then the contents of the string are modified.

void remove_spaces(const char *str, size_t slen) {
  char *p = (char *)str;
  size_t i;
  for (i = 0; i < slen && str[i]; i++) {
    if (str[i] != ' ') *p++ = str[i];
  }
  *p = '\0';
}

...

void remove_spaces(char *str, size_t slen) {
  char *p = str;
  size_t i;
  for (i = 0; i < slen && str[i]; i++) {
    if (str[i] != ' ') *p++ = str[i];
  }
  *p = '\0';
}

...

const int vals[3] = {3, 4, 5};
memset(vals, 0, sizeof(vals));

...

int vals[3] = {3, 4, 5};
memset(vals, 0, sizeof(vals));

...

EXP05-EX1: An exception to this recommendation is allowed when it is necessary to cast away const when invoking a legacy API that does not accept a const argument, provided the function does not attempt to modify the referenced variable. For example, the following code casts away the const qualification of INVFNAME in the call to the audit_log() function.

/* Legacy function defined elsewhere - cannot be modified */
void audit_log(char *errstr) {
  fprintf(stderr, "Error: %s.\n", errstr);
}

/* ... */
const char INVFNAME[]  = "Invalid file name.";
audit_log((char *)INVFNAME); /* EXP05-EX1 */
/* ... */

...

For instance, in following example the function strchr returns an unqualified char* that points to the terminating null character of the constant character array s (which could be stored in ROM). Even though the pointer is not const, attempting to modify the character it points to would lead to undefined behavior.

  extern const char s[];
  char* where;
  where = strchr(s, '\0');
  /* modifying *s is undefined */

Similarly, in the example below, the function strtol sets the unqualified char* pointer referenced by end to point just past the last successfully parsed character of the constant character array s (which could be stored in ROM). Even though the pointer is not const, attempting to modify the character it points to would lead to undefined behavior.

  extern const char s[];
  long x;
  char* end;
  x = strtol(s, &end, 0);
  /* modifying **end is undefined */

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding Standard: EXP35-CPP. Do not cast away a const qualification

ISO/IEC 9899:19992011 Section 6.7.3, "Type qualifiers"

...

MITRE CWE: CWE-704, "Incorrect Type Conversion type conversion or Castcast"

Bibliography

...