 
                            ...
In this example, the strtok() function is used to parse the first argument into colon-delimited tokens; it outputs each word from the string on a new line. Assume that PATH is "/usr/bin:/usr/sbin:/sbin".
| Code Block | ||
|---|---|---|
| 
 | ||
| 
char *token;
char *path = getenv("PATH");
token = strtok(path, ":");
puts(token);
while (token = strtok(0, ":")) {
  puts(token);
}
printf("PATH: %s\n", path);
/* PATH is now just "/usr/bin" */
 | 
...
In this compliant solution the string being tokenized is copied into a temporary buffer which is not referenced after the call to strtok():
| Code Block | ||
|---|---|---|
| 
 | ||
| 
char *token;
const char *path = getenv("PATH");
/* PATH is something like "/usr/bin:/bin:/usr/sbin:/sbin" */
char *copy = (char *)malloc(strlen(path) + 1);
if (copy == NULL) {
  /* handle error */
}
strcpy(copy, path);
token = strtok(copy, ":");
puts(token);
while (token = strtok(0, ":")) {
  puts(token);
}
free(copy);
copy = NULL;
printf("PATH: %s\n", path);
/* PATH is still "/usr/bin:/bin:/usr/sbin:/sbin" */
 | 
...
| Wiki Markup | 
|---|
| To quote the Linux Programmer's Manual (man) page on {{strtok(3)}} \[[Linux 0708|AA. C References#Linux 0708]\]: | 
...
| <blockquote><p>Never use this function. This function modifies its first argument. The identity of the delimiting character is lost. This function cannot be used on constant strings. | 
...
The improper use of
| </p></blockquote>The improper use of {{strtok()}} is likely to result in truncated data, producing unexpected results later in program execution. | 
| Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| STR06-C | medium | likely | medium | P12 | L1 | 
...
| Wiki Markup | 
|---|
| \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21.5.8, "The {{strtok}} function"
\[[Linux 0708|AA. C References#Linux 0708]\] [strtok(3)|http://www.kernel.org/doc/man-pages/online/pages/man3/strtok.3.html]
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 464|http://cwe.mitre.org/data/definitions/464.html], "Addition of Data Structure Sentinel" | 
...