 
                            Wiki Markup strtok()}}  is   a   string   tokenization   function   that   takes   two   arguments:   an   initial   string   to   be   parsed   and   a   const-qualified   character   delimiter.   It   returns   a   pointer   to   the   first   character   of   a   token   or   to   a   null   pointer   if   there   is   no   token.
The first time strtok() is called, the string is parsed into tokens and a character delimiter. The strtok() function parses the string up to the first instance of the delimiter character, replaces the character in place with a null byte ('\0'), and returns the address of the first character in the token. Subsequent calls to strtok() begin parsing immediately after the most recently - placed null character.
Because strtok() modifies the initial string to be parsed, the string is subsequently unsafe and cannot be used in its original form. If you need to preserve the original string, copy it into a buffer and pass the address of the buffer to strtok() instead of the original string.
...
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
char *token;
char *path = getenv("PATH");
token = strtok(path, ":");
puts(token);
while (token = strtok(0, ":")) {
  puts(token);
}
printf("PATH: %s\n", path);
/* PATH is now just "/usr/bin" */
 | 
After the loop ends, path is modified as follows: "/usr/bin\0/bin\0/usr/sbin\0/sbin\0". This is an issue because the local path variable becomes /usr/bin and because the environment variable PATH has been unintentionally changed, which can have unintended consequences. (See rule ENV30-C. Do not modify the object referenced by the return value of certain functions.)
...
In this compliant solution, the string being tokenized is copied into a temporary buffer which buffer that is not referenced after the call to strtok():
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| char *token; const char *path = getenv("PATH"); /* PATH is something like "/usr/bin:/bin:/usr/sbin:/sbin" */ char *copy = (char *)malloc(strlen(path) + 1); if (copy == NULL) { /* handleHandle error */ } strcpy(copy, path); token = strtok(copy, ":"); puts(token); while (token = strtok(0, ":")) { puts(token); } free(copy); copy = NULL; printf("PATH: %s\n", path); /* PATH is still "/usr/bin:/bin:/usr/sbin:/sbin" */ | 
Another possibility is to provide your own implementation of strtok() that does not modify the initial arguments.
Risk Assessment
...
The  Linux   Programmer's   Manual  (man)   page   on  {{strtok(3)}} \ [[Linux   2008|AA. Bibliography#Linux 08]\]   states:
Never use this function. This function modifies its first argument. The identity of the delimiting character is lost. This function cannot be used on constant strings.
The improper use of strtok() is likely to result in truncated data, producing unexpected results later in program execution.
| Recommendation | Severity | Likelihood | Detectable | 
|---|
| Repairable | Priority | Level | 
|---|---|---|
| STR06-C | Medium | 
| Likely | 
| No | 
| No | 
| P6 | 
| L2 | 
Automated Detection
| Tool | Version | Checker | Description | 
|---|
| CodeSonar | 
Fortify SCA
| Section | 
|---|
| V. 5.0 | 
| Section | 
|---|
| can detect violations of this rule with CERT C Rule Pack | 
| 
 | (customization) | Users who wish to avoid using  strtok()entirely can add a custom check for all uses ofstrtok(). | 
| Compass/ROSE | 
| Helix QAC | 
 | C5007 | |||||||
| LDRA tool suite | 
 | 602 S | Enhanced Enforcement | ||||||
| Polyspace Bug Finder | 
 | Checks for string passed to strok() without copying. | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
ISO/IEC 9899:1999 Section 7.21.5.8, "The strtok function"
...
...
| Addition of | 
...
| data structure sentinel | 
Bibliography
...
...
| [ | 
...
...
...
...
|http://www.kernel.org/doc/man-pages/online/pages/man3/strtok.3.html] 07. Characters and Strings (STR) STR07-C. Use C11 Annex K bounds-checking interfaces for remediation of existing string manipulation code