Page History

According to the C Standard, subclause 6.4.5, paragraph 3 [ISO/IEC 9899:20112024],:

A A character string literal is a sequence of zero or more multibyte characters enclosed in double-quotes, as in "xyz". A UTF−8 UTF-8 string literal is the same, except prefixed by u8. A wide wchar_t string literal is the same, except prefixed by the letter L, u, or UL. A UTF-16 string literal is the same, except prefixed by u. A UTF-32 string literal is the same, except prefixed by U. Collectively, wchar_t, UTF-16, and UTF-32 string literals are called wide string literals.

At compile time, string literals are used to create an array of static storage duration of sufficient length to contain the character sequence and a terminating null character. String literals are usually referred to by a pointer to (or array of) characters. Ideally, they should be assigned only to pointers to (or arrays of) const char or const wchar_t. It is unspecified whether these arrays of string literals are distinct from each other. The behavior is undefined if a program attempts to modify any portion of a string literalsliteral. Modifying a string literal frequently results in an access violation because string literals are typically stored in read-only memory. (see See undefined behavior 3332.)String literals are usually referred to by

Avoid assigning a string literal to a pointer to , or array of characters. Ideally, they should be assigned only to pointers to (or arrays of) const char.When called with non-const or casting a string literal to a pointer to non-const. For the purposes of this rule, a pointer to (or array of) const characters must be treated as a string literal. Similarly, the return returned value from of the following library functions shall must be treated as a pointer to const charactersstring literal if the first argument is a string literal:

strpbrk(), strchr(), strrchr(), strstr()
wcspbrk(), wcschr(), wcsrchr(), wcsstr()
memchr(), wmemchr()

Do not attempt to modify a string literal. Instead, use a named array of characters to create a modifiable copy of a string literal.

This rule is a specific instance of EXP40-C. Do not modify constant objects.

...

In this noncompliant code example, the char pointer p is str is initialized to the address of a string literal. Attempting to modify the string literal results in is undefined behavior 32:

Code Block

bgColor	#FFcccc
lang	c

char *pstr  = "string literal";
pstr[0] = 'S';

Compliant Solution

As an array initializer, a string literal specifies the initial values of characters in an array as well as the size of the array. (See STR11-C. Do not specify the bound of a character array initialized with a string literal.) This code creates a copy of the string literal in the space allocated to the character array a str. The string stored in a can str can be modified safely modified.

Code Block

bgColor	#ccccff
lang	c

char astr[] = "string literal";
astr[0] = 'S';

Noncompliant Code Example (POSIX)

...

Compliant Solution (POSIX)

Instead This compliant solution uses a named array instead of passing a string literal, use a named array:

Code Block

bgColor	#ccccff
lang	c

#include <stdlib.h>
 
void func(void) {
  static char fname[] = "/tmp/edXXXXXX";
  mkstemp(fname);
}

...

In this noncompliant example, the char * result of the strrchr() function is used to modify the object pointed to by pathname. Because the pointer argument to strrchr() points to a string literal, the effects of the modification are undefined.

...

This compliant solution avoids modifying a const object, even if it is possible to obtain a non-const pointer to such an object by calling a standard C library function, such as strrchr(). To reduce the risk of to callers of get_dirname(), a buffer and length for the directory name are passed into the function. It is insufficient to change pathname to require a char * instead of a const char * because conforming compilers are not required to diagnose passing a string literal to a function accepting a char *.

...

Modifying string literals can lead to abnormal program termination and possibly denial-of-service attacks.

Rule	Severity	Likelihood	Detectable

Remediation Cost

Repairable	Priority	Level
STR30-C	Low	Likely

Low

No

Yes

P9

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

string-literal-modfication
write-to-string-literal

Fully checked

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-STR30

Fully implemented

Compass/ROSE

Can detect simple violations of this rule

Coverity

Include Page

	Coverity_V
	Coverity_V

PW

Deprecates conversion from a string literal to "char *"

Cppcheck Premium

Include Page

	Cppcheck Premium_V
	Cppcheck Premium_V

premium-cert-str30-c

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C0556, C0752, C0753, C0754

C++3063, C++3064, C++3605, C++3606, C++3607

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

CERT.STR.ARG.CONST_TO_NONCONST
CERT.STR.ASSIGN.CONST_TO_NONCONST

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

157 S

Partially implemented

PRQA QA-C Include PagePRQA_VPRQA_V0556

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-STR30-a
CERT_C-STR30-b

A string literal shall not be modified
Do not modify string literals

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

489, 1776

Partially supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rule STR30-C

Checks for writing to const qualified object (rule fully covered)

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V675

RuleChecker

Include Page

	RuleChecker_V
	RuleChecker_V

string-literal-modfication

Partially checked

Partially implemented

Splint

Include Page

	Splint_V
	Splint_V

TrustInSoft Analyzer

Include Page

	TrustInSoft Analyzer_V
	TrustInSoft Analyzer_V

mem_access

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy	Taxonomy item	Relationship
CERT C Secure Coding Standard	EXP05-C. Do not cast away a const qualification	Prior to 2018-01-12: CERT: Unspecified Relationship
CERT C Secure Coding Standard	STR11-C. Do not specify the bound of a character array initialized with a string literal

CERT C++ Secure Coding Standard STR30-CPP. Do not attempt to modify string literals

Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013	Modifying string literals [strmod]	Prior to 2018-01-12: CERT: Unspecified Relationship

Bibliography

[ISO/IEC 9899:

2011

2024]

6.4.5, "String

literals

Literals"
[Plum 1991]	Topic 1.26, "Strings—String Literals"
[Summit 1995]	comp.lang.c FAQ

list

List, Question 1.32

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 87

New Version Current

Key

Compliant Solution

Noncompliant Code Example (POSIX)

Compliant Solution (POSIX)

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography