...
| Code Block |
|---|
void log(char *errstr) {
fprintf(stderr, "Error: %s.\n", errstr);
}
...
const char INVFNAME[] = "Invalid file name.";
log((char *)INVFNAME);
...
|
...
Risk Assessment
If the object really is constant, the compiler may have put it in ROM or write-protected memory. Trying to modify such an object may lead to a program crash. This could allow an attacker to mount a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level | |
|---|---|---|---|---|---|---|
EXP05-A | ||||||
Component | Value | |||||
Severity | 1 (low) | Likelihood | 2 (probable) Remediation cost | 2 (medium) | P4 | L3 |
References
- ISO/IEC 9899-1999 Section 6.7.3, "Type qualifiers"