SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 64

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 65

changes.mady.by.user Aaron Ballman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edits based on feedback

...

Avoid casting away const qualification because doing so makes it easier to modify const-qualified objects without issuing diagnostics.  See EXP05-C. Do not cast away a const qualification and STR30-C. Do not attempt to modify string literals for more details.

Noncompliant Code Example

The following well-formed, but noncompliant, code example specified in subclause 6.5.16.1 of the C Standard allows example allows a constant object to be modified:

Code Block
bgColor#FFcccc
langc
const charint **cppipp;
charint *pip;
const charint ci = 'A'42;

void func(void) {
  cppipp = &pip; /* Constraint violation */
  *cppipp = &ci; /* Valid */
  *pip = 0; /* Valid */
}

The first assignment is unsafe because it would allow the valid code that follows to attempt to change the value of the const object c i.

Implementation Details

If cpp ipp, p ip, and c and i are declared as automatic variables, this example compiles without warning with Microsoft Visual Studio 2012 when compiled in C mode (/TC) and the resulting program changes the value of c i. GCC 4.8.1 generates a warning but compiles, and the resulting program changes the value of c i.

If cpp ipp, p ip, and c and i are declared with static storage duration, this program compiles without warning and terminates abnormally with Microsoft Visual Studio 2012, and compiles with warning and terminates abnormally with GCC 4.8.1.

...

The compliant solution depends on the intent of the programmer. If the intent is that the value of c of i is modifiable, then it should not be declared as a constant, as in this compliant solution:

Code Block
bgColor#ccccff
langc
charint **cppipp;
charint *pip;
charint ci = 'A'42;

void func(void) {
  cppipp = &pip; /* Constraint violation */
  *cppipp = &ci; /* Valid */
  *pip = 0; /* Valid */
}

If the intent is that the value of c of i is not meant to change, then do not write noncompliant code that attempts to modify it.  This may require relying on additional analysis tools to catch constraint violations in cases where the compiler does not emit a diagnostic.

Noncompliant Code Example

The following well-formed, but noncompliant, code example modifies a constant object after casting away its const qualifier.

Code Block
bgColor#FFcccc
langc
const char s[] = "foo";
void func(void) {
  *(char *)s = '\0';
}

Compliant Solution

Similar to the previous compliant solution, this compliant solution depends on the intent of the programmer.  If the intent is that s should be modifiable, then it should not be declared as a constant object.  If the intent is that s should not be modifiable, then the explicit cast and assignment operations are erroneous and should be removed.

Code Block
bgColor#ccccff
langc
char s[] = "foo";
void func(void) {
  *s = '\0';
}

Risk Assessment

Modifying constant objects through non-constant references results in undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP40-C

Low

Unlikely

Medium

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C Secure Coding StandardEXP05-C. Do not cast away a const qualification
STR30-C. Do not attempt to modify string literals

Bibliography

[ISO/IEC 9899:2011]Subclause 6.7.3, "Type Qualifiers"
Subclause 6.5.16.1, "Simple assignment"

 

...