...
Null-terminated byte strings are implemented as arrays of characters and are susceptible to the same problems as arrays. As a result, rules and recommendations for arrays should also be applied to null-terminated byte strings.
...
Understanding how to represent characters and character strings can eliminate many common programming errors that lead to software vulnerabilities.
Recommendation | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
STR00-C | Medium | Probable | No |
No |
P4 |
L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported indirectly via MISRA C:2004 rule 6.1 and MISRA C:2012 rule 10.1. | |||||||
| CodeSonar |
| MISC.NEGCHAR | Negative Character Value | ||||||
| Helix QAC |
| C0634, C0635, C1292, C1293, C1810, C1811, C1812, C1813, C1814, C2151, C4010, C4011, C4063, C4064, C4065, C4310, C4312, C4315, C4401, C4410, C4412, C4413, C4414, C4415, C4421, C4431, C4441, C4451, C4510, C4511, C4512, C4513, C4514, C4517, C4518, C4519, C4580, C4581, C4582, C4583, C4584, C4585, C4586 DF2806, DF2807, DF2808, DF2816, DF2817, DF2818
| |||||||
| LDRA tool suite |
| 329 S, 432 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-STR00-a | The plain char type shall be used only for the storage and use of character values | ||||||
| RuleChecker |
| Supported indirectly via MISRA C:2004 rule 6.1 and MISRA C:2012 rule 10.1. | |||||||
| SonarQube C/C++ Plugin |
| S810 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 9899:2011] | Subclause 6.2.6, "Representations of Types" |
| [Seacord 2013] | Chapter 2, "Strings" |
...
...