Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Since std::basic_string is a container of characters, this rule is a specific instance of CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container. As a container, it supports iterators just like other containers in the Standard Template Library. However, the std::basic_string template class has unusual invalidation semantics. The C++ Standard, [string.require], paragraph 5 [ISO/IEC 14882-2014], states the following:

References, pointers, and iterators referring to the elements of a basic_string

...

 sequence may be

...

invalidated by the following uses of that basic_string

...

 object:

  • As an argument to

...

Wiki Markup
Calling non-const member functions, except {{operator\[\]()}}, {{at()}}, {{begin()}}, {{rbegin()}}, {{end()}}, and {{rend()}}.

...

Wiki Markup
Subsequent to any of the above uses except the forms of {{insert()}} and {{erase()}} which return iterators, the first call to non-const member functions {{operator\[\]()}}, {{at()}}, {{begin()}}, {{rbegin()}}, {{end()}}, or {{rend()}}.
  • any standard library function taking a reference to non-const basic_string as an argument.
  • Calling non-const member functions, except operator[], at, front, back, begin, rbegin, end, and rend.

Examples of standard library functions taking a reference to non-const std::basic_string are std::swap(), ::operator>>(basic_istream &, string &), and std::getline().

Do not use an invalidated reference, pointer, or iterator because doing so results in undefined behavior.

Noncompliant Code Example

This noncompliant code example copies input into a std::string, replacing semicolon (;) characters with spaces. This example is noncompliant

Non-Compliant Example

The following non-compliant example copies the null-terminated byte string input into the string email, replacing ';' characters with spaces. This example is non-compliant because the iterator loc is invalidated after the first call to insert(). The behavior of subsequent calls to insert is () is undefined.

Code Block
bgColor#FFcccc
langcpp

char input[] = "bogus@addr.com; cat /etc/passwd";
string::iterator loc;
#include <string>
 
void f(const std::string &input) {
  std::string email;

  // Copy copyinput into stringemail converting ";" to " "
for (size_t i=0; i <= strlen(input); i++) {
  if (input[i] != ';' std::string::iterator loc = email.begin();
  for (auto i = input.begin(), e = input.end(); i != e; ++i, ++loc) {
    email.insert(loc++, input[i]);
  }
  else {
    email.insert(loc++, *i != ';' ? *i : ' ');
  }
} // end string for each element in NTBS

Compliant Solution (std::string::insert())

In the following this compliant solution, the value of the iterator loc is updated as a result of each call to insert so () so that the insert() method invalidated iterator is never called with an invalid iteratoraccessed. The updated iterator is then incremented at the end of the loop.

Code Block
bgColor#ccccff
langcpp
#include <string>
 
void f(const std::string &input) {
  std::
char input[] = "bogus@addr.com; cat /etc/passwd";
string::iterator loc;
string email;

  // Copy copyinput into stringemail converting ";" to " "
for (size_t i=0; i <= strlen(input); i++) {
  if (input[i] != ';' std::string::iterator loc = email.begin();
  for (auto i = input.begin(), e = input.end(); i != e; ++i, ++loc) {
    loc = email.insert(loc, input[i]*i != ';' ? *i : ' ');
  }
}

Compliant Solution (std::replace())

This compliant solution uses a standard algorithm to perform the replacement. When possible, using a generic algorithm is preferable to inventing your own solution.

Code Block
bgColor#ccccff
langcpp
#include <algorithm>
#include  else<string>
 
void f(const std::string &input) {
  std::string email{input};
 loc = std::replace(email.begin(), email.insert(locend(), ';', ' ');
}

Noncompliant Code Example

In this noncompliant code example, data is invalidated after the call to replace(), and so its use in g() is undefined behavior.

Code Block
bgColor#ffcccc
langcpp
#include <iostream>
#include <string>
 
extern void g(const char *);
 
void  }
  ++loc;
} // end string for each element in NTBS

Non-Compliant Example

...

Compliant Solution

The relationship between size and capacity makes it possible to predict when a call to a non-const member function will cause a string to perform a reallocation. This in turn makes it possible to predice when an insertion will invalidate references, pointers, and iterators (to anything other than the end of the string).

In the following example, the call to push_back() does not invalidate the iterator.

Code Block

string s;
...
if ( s.size() < s.capacity() ) {
  s.push_back('x');
}

If instead of performing a push_back(), the code were to insert into an arbitrary location in the string, all references, pointers, and iterators from the insertion point to the end of the string are invalidated.

Exceptions

The intent of these iterator invalidation rules is to give implementors greater freedom in implementation techniques. Some implementations implement method version that do not invalidate references, pointers, and iterators in all cases. Check with your implementation specific documentation and document any violation of the semantics specified by the standard for portability.

References

...

f(std::string &exampleString) {
  const char *data = exampleString.data();
  // ...
  exampleString.replace(0, 2, "bb");
  // ...
  g(data);
}

Compliant Solution

In this compliant solution, the pointer to exampleString's internal buffer is not generated until after the modification from replace() has completed.

Code Block
bgColor#ccccff
langcpp
#include <iostream>
#include <string>

extern void g(const char *);

void f(std::string &exampleString) {
  // ...
  exampleString.replace(0, 2, "bb");
  // ...
  g(exampleString.data());
}

Risk Assessment

Using an invalid reference, pointer, or iterator to a string object could allow an attacker to run arbitrary code.

Rule

Severity

Likelihood

Detectable

Repairable

Priority

Level

STR52-CPP

High

Probable

No

No

P6

L2

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.UAF

Use After Free

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4746, DF4747, DF4748, DF4749


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_CPP-STR52-a

Use valid references, pointers, and iterators to reference elements of a basic_string

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: STR52-CPPChecks for use of invalid string iterator (rule partially covered).
Security Reviewer - Static Reviewer

6.02

C24Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[ISO/IEC 14882-2014]

Subclause 21.4.1, "basic_string General Requirements"

[Meyers 2001]Item 43, "Prefer Algorithm Calls to Hand-written Loops"


...

Image Added Image Added Image Added

...