Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

String literals are The type of a narrow string literal is an array of char, and the type of a wide string literal is an array of wchar_t. However, string literals (of both types) are notionally constant and should only be assigned to constant pointersconsequently be protected by const qualification. This recommendation supports rule is a specialization of DCL00-C. Const-qualify immutable objects and also supports STR30-C.

Non-Compliant Code Example

. Do not attempt to modify string literals.

Adding const qualification may propagate through a program; as const qualifiers are added, still more become necessary. This phenomenon is sometimes called const-poisoning. Const-poisoning can frequently lead to violations of EXP05-C. Do not cast away a const qualification. Although const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.

Noncompliant Code Example (Narrow String Literal)

In this noncompliant code example, the const keyword has been omitted:The const keyword is not included in this declaration.

Code Block
bgColor#FFcccc
langc

char *c = "Hello"; /* Bad: assigned to non-const */
c[3] = 'a'; /* Undefined (but compiles) */

Compliant Solution 1

In cases where the string referenced by c is not meant to be modified, c should be declared as a const pointers,
preventing direct manipulation of the contents of the string literals.


If a statement such as c[0] = 'C' were placed following the declaration in the noncompliant code example, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.

Compliant Solution (Immutable Strings)

In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempt to assign them to different values is an error:

Code Block
bgColor#ccccFF
langc
const char
Code Block
bgColor#ccccFF

char const *c = "Hello"; /* Good */
//c[3] = 'a'; would cause a compile error

Compliant Solution

...

(Mutable Strings)

In cases where the string referenced by c is meant to be modified, use initialization instead of assignment. In this compliant solution, both c is a and b are modifiable char arrays which have array that has been initialized using the contents of the corresponding string literal.:

Code Block
bgColor#ccccFF
langc

char ac[] = "abcHello";

This code is equivalent to:

Code Block
bgColor#ccccFF

char a[] = {'a', 'b', 'c', '\0'};

Non-Compliant Code Example 1

Consequently, a statement such as c[0] = 'C' is valid and behaves as expected.

Noncompliant Code Example (Wide String Literal)

In this noncompliant code example, the const keyword has been omitted:Although this code example is not compliant with the C99 Standard, it executes correctly if the contents of CMUfullname are not modified.

Code Block
bgColor#FFcccc
langc
wchar_t
char *CMUfullnamec = L"Carnegie Mellon";

/* get school from user input and validate */

if (strcmp(school,"CMU")) {
    school = CMUfullname;
}

Non-Compliant Code Example 2

Adding in the const keyword will generate a compiler warning, as the assignment of CMUfullname to school discards the const qualifier. Any modifications to the contents of school after this assignment will lead to errors.

Code Block
bgColor#FFcccc

char const *CMUfullname = "Carnegie Mellon";

/* get school from user input and validate */

if (strcmp(school,"CMU")) {
    school = CMUfullname;
}

Compliant Solution

The compliant solution uses the const keyword to protect the string literal, as well as using strcpy() to copy the value of CMUfullname into school, allowing future modification of school.

...

bgColor#ccccFF

...

Hello";

If a statement such as c[0] = L'C' were placed following this declaration, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.

Compliant Solution (Immutable Strings)

In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempt to assign them to different values is an error:

Code Block
bgColor#ccccFF
langc
wchar_t const *c = L"Hello";

Compliant Solution (Mutable Strings)

In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable wchar_t array that has been initialized using the contents of the corresponding string literal:

Code Block
bgColor#ccccFF
langc
wchar_t c[] = L"Hello";

Consequently, a statement such as c[0] = L'C' is valid and behaves as expected.

Risk Assessment

Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.

Rule

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

STR05

-A

1 (low)

3 (likely)

2(medium)

P6

L2

References:

-C

Low

Unlikely

Yes

Yes

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
literal-assignment
Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-STR05
Clang

Include Page
Clang_V
Clang_V

-Wwrite-stringsNot enabled by -Weverything
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.TYPE.NCSNon-const string literal
Compass/ROSE




ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.STR05

Fully implemented

GCC

Include Page
GCC_V
GCC_V

-Wwrite-strings
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0752, C0753
Klocwork

Include Page
Klocwork_V
Klocwork_V

MISRA.STRING_LITERAL.NON_CONST.2012
LDRA tool suite
Include Page
LDRA_V
LDRA_V
623 S

Fully implemented

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-STR05-a

A string literal shall not be modified

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

1776

Fully supported

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
literal-assignmentFully checked
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

RTOS_31Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography


...

Image Added Image Added Image Added Wiki Markup[http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1993/N0389.asc] \[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 6.7.8, "Initialization" \[Lockheed Martin 2005\] Lockheed Martin. Joint Strike Fighter Air Vehicle C+\+ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001, Rev C. December 2005.     AV Rule 151.1