
String literals are The type of a narrow string literal is an array of char
, and the type of a wide string literal is an array of wchar_t
. However, string literals (of both types) are notionally constant and should only be assigned to constant pointersconsequently be protected by const
qualification. This recommendation supports rule is a specialization of DCL00-C. Const-qualify immutable objects and also supports STR30-C.
Non-Compliant Code Example
. Do not attempt to modify string literals.
Adding const
qualification may propagate through a program; as const
qualifiers are added, still more become necessary. This phenomenon is sometimes called const-poisoning. Const-poisoning can frequently lead to violations of EXP05-C. Do not cast away a const qualification. Although const
qualification is a good idea, the costs may outweigh the value in the remediation of existing code.
Noncompliant Code Example (Narrow String Literal)
In this noncompliant code example, the const
keyword has been omitted:The const
keyword is not included in this declaration.
Code Block | ||||
---|---|---|---|---|
| ||||
char *c = "Hello"; /* Bad: assigned to non-const */ c[3] = 'a'; /* Undefined (but compiles) */ |
Compliant Solution 1
In cases where the string referenced by c
is not meant to be modified, c
should be declared as a const
pointers,
preventing direct manipulation of the contents of the string literals.
|
If a statement such as c[0] = 'C'
were placed following the declaration in the noncompliant code example, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.
Compliant Solution (Immutable Strings)
In this compliant solution, the characters referred to by the pointer c
are const
-qualified, meaning that any attempt to assign them to different values is an error:
Code Block | ||||
---|---|---|---|---|
| ||||
const char | ||||
Code Block | ||||
| ||||
char const *c = "Hello"; /* Good */ //c[3] = 'a'; would cause a compile error |
Compliant Solution
...
(Mutable Strings)
In cases where the string referenced by c
is meant to be modified, use initialization instead of assignment. In this compliant solution, both c
is a and b
are modifiable char
arrays which have array that has been initialized using the contents of the corresponding string literal.:
Code Block | ||||
---|---|---|---|---|
| ||||
char ac[] = "abcHello"; |
This code is equivalent to:
Code Block | ||
---|---|---|
| ||
char a[] = {'a', 'b', 'c', '\0'};
|
Non-Compliant Code Example 1
Consequently, a statement such as c[0] = 'C'
is valid and behaves as expected.
Noncompliant Code Example (Wide String Literal)
In this noncompliant code example, the const
keyword has been omitted:Although this code example is not compliant with the C99 Standard, it executes correctly if the contents of CMUfullname
are not modified.
Code Block | ||||
---|---|---|---|---|
| ||||
wchar_t char *CMUfullnamec = L"Carnegie Mellon"; /* get school from user input and validate */ if (strcmp(school,"CMU")) { school = CMUfullname; } |
Non-Compliant Code Example 2
Adding in the const
keyword will generate a compiler warning, as the assignment of CMUfullname
to school
discards the const
qualifier. Any modifications to the contents of school
after this assignment will lead to errors.
Code Block | ||
---|---|---|
| ||
char const *CMUfullname = "Carnegie Mellon";
/* get school from user input and validate */
if (strcmp(school,"CMU")) {
school = CMUfullname;
}
|
Compliant Solution
The compliant solution uses the const
keyword to protect the string literal, as well as using strcpy()
to copy the value of CMUfullname
into school
, allowing future modification of school
.
...
bgColor | #ccccFF |
---|
...
Hello";
|
If a statement such as c[0] = L'C'
were placed following this declaration, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.
Compliant Solution (Immutable Strings)
In this compliant solution, the characters referred to by the pointer c
are const
-qualified, meaning that any attempt to assign them to different values is an error:
Code Block | ||||
---|---|---|---|---|
| ||||
wchar_t const *c = L"Hello";
|
Compliant Solution (Mutable Strings)
In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c
is a modifiable wchar_t
array that has been initialized using the contents of the corresponding string literal:
Code Block | ||||
---|---|---|---|---|
| ||||
wchar_t c[] = L"Hello";
|
Consequently, a statement such as c[0] = L'C'
is valid and behaves as expected.
Risk Assessment
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Recommendation | Severity | Likelihood | Detectable |
---|
Repairable | Priority | Level |
---|---|---|
STR05 |
1 (low)
3 (likely)
2(medium)
P6
L2
References:
-C | Low | Unlikely | Yes | Yes | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| literal-assignment | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-STR05 | |||||||
Clang |
| -Wwrite-strings | Not enabled by -Weverything | ||||||
CodeSonar |
| LANG.TYPE.NCS | Non-const string literal | ||||||
Compass/ROSE | |||||||||
| CC2.STR05 | Fully implemented | |||||||
GCC |
| -Wwrite-strings | |||||||
Helix QAC |
| C0752, C0753 | |||||||
Klocwork |
| MISRA.STRING_LITERAL.NON_CONST.2012 | |||||||
LDRA tool suite |
| 623 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-STR05-a | A string literal shall not be modified | ||||||
PC-lint Plus |
| 1776 | Fully supported | ||||||
RuleChecker |
| literal-assignment | Fully checked | ||||||
Security Reviewer - Static Reviewer |
| RTOS_31 | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
[Corfield 1993] | |
[Lockheed Martin 2005] | AV Rule 151.1 |
...
[http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1993/N0389.asc]
\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 6.7.8, "Initialization"
\[Lockheed Martin 2005\] Lockheed Martin. Joint Strike Fighter Air Vehicle C+\+ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001, Rev C. December 2005. AV Rule 151.1 Wiki Markup