SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 110

changes.mady.by.user Jill Britton

Saved on

compared with

New Version 111

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not cast away a const qualification on an object of pointer type. Casting away the const qualification allows a program to modify the object referred to by the pointer, which may result in undefined behavior. See undefined behavior 64 in Appendix J of the C standard [ISO/IEC 9899:2011].

As an illustration, C provides a footnote (Section 6.7.3, para. 4):

...

Implementation Details

The GCC compiler GCC issues a warning when an implicit cast is performed.

...

Code Block
/* Legacy function defined elsewhere - cannot be modified */
void audit_log(char *errstr) {
  fprintf(stderr, "Error: %s.\n", errstr);
}

/* ... */
const char INVFNAME[]  = "Invalid file name.";
audit_log((char *)INVFNAME); /* EXP05-EX1 */
/* ... */

EXP05-EX2: A number of C99 C standard library functions are specified to return non-const pointers that refer to their const-qualified arguments. When the actual arguments to such functions reference const objects, attempting to use the returned non-const pointers to modify the const objects would be a violation of EXP40-C. Do not modify constant values and lead to undefined behavior. These functions are the following:

...

For instance, in following example, the function strchr returns an unqualified char* that points to the terminating null character of the constant character array s (which could be stored in ROM). Even though the pointer is not const, attempting to modify the character it points to would lead to undefined behavior.

Code Block
  extern const char s[];
  char* where;
  where = strchr(s, '\0');
  /* modifying *s is undefined */

Similarly, in the following example below, the function strtol sets the unqualified char* pointer referenced by end to point just past the last successfully parsed character of the constant character array s (which could be stored in ROM). Even though the pointer is not const, attempting to modify the character it points to would lead to undefined behavior.

Code Block
  extern const char s[];
  long x;
  char* end;
  x = strtol(s, &end, 0);
  /* modifying **end is undefined */

EXP05-EX3: Because " const means " means read-only," and not "constant," it is sometimes useful to declare struct members as (pointer to) const objects to obtain diagnostics when the user tries to change them in some way other than via the functions that are specifically designed to maintain that data type. Within those functions, however, it may be necessary to strip off the const qualification to update those members.

...

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_V
LDRA_V

203 S

Fully implemented.

GCC

Include Page
GCC_V
GCC_V

 

Can detect violations of this recommendation when the -Wcast-qual flag is used.

Compass/ROSE

 

 

 

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

castexpr

Fully implemented.

PRQA QA-C
Include Page
PRQA_V
PRQA_V
0311Fully implemented.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard

...

EXP35-CPP. Do not cast away a const qualification
ISO/IEC

...

TR 24772Pointer casting and pointer type changes

...

[HFC] and

...

Type system

...

[IHN]
MISRA-CRule 11.5
MITRE CWE

...

CWE-704,

...

Incorrect type conversion or cast

...

Bibliography

[ISO/IEC 9899:2011]Section 6.7.3, "Type Qualifiers"

...