The C function
strtok() is a string tokenization function that takes two arguments: an initial string to be parsed and a
const-qualified character delimiter. It returns a pointer to the first character of a token or to a null pointer if there is no token.
The first time
strtok() is called, the string is parsed into tokens and a character delimiter. The
strtok() function parses the string up to the first instance of the delimiter character, replaces the character in place with a null byte (
'\0'), and returns the address of the first character in the token. Subsequent calls to
strtok() begin parsing immediately after the most recently placed null character.
strtok() modifies the initial string to be parsed, the string is subsequently unsafe and cannot be used in its original form. If you need to preserve the original string, copy it into a buffer and pass the address of the buffer to
strtok() instead of the original string.
Noncompliant Code Example
In this example, the
strtok() function is used to parse the first argument into colon-delimited tokens; it outputs each word from the string on a new line. Assume that
After the loop ends,
path is modified as follows:
"/usr/bin\0/bin\0/usr/sbin\0/sbin\0". This is an issue because the local
path variable becomes
/usr/bin and because the environment variable
PATH has been unintentionally changed, which can have unintended consequences. (See ENV30-C. Do not modify the object referenced by the return value of certain functions.)
In this compliant solution, the string being tokenized is copied into a temporary buffer that is not referenced after the call to
Another possibility is to provide your own implementation of
strtok() that does not modify the initial arguments.
The Linux Programmer's Manual (man) page on
strtok(3) [Linux 2008] states:
Never use this function. This function modifies its first argument. The identity of the delimiting character is lost. This function cannot be used on constant strings.
The improper use of
strtok() is likely to result in truncated data, producing unexpected results later in program execution.
|(customization)||Users who wish to avoid using|
|LDRA tool suite|
|Polyspace Bug Finder|
Function attempts to modify internal buffer returned from a nonreentrant standard function
Object declared with a
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
|SEI CERT C++ Coding Standard||VOID STR06-CPP. Do not assume that strtok() leaves the parse string unchanged|
|MITRE CWE||CWE-464, Addition of data structure sentinel|