Strings are a fundamental concept in software engineering, but they are not a built-in type in C. Null-terminated byte strings (NTBS) consist of a contiguous sequence of characters terminated by and including the first NULL character. The C programming language supports the following types of null-terminated byte strings: single byte character strings, multibyte character strings, and wide character strings. Single byte and multibyte character strings are both described as null-terminated byte strings.
A pointer to a single byte or multibyte character string points to its initial character. The length of the string is the number of bytes preceding the NULL character, and the value of the string is the sequence of the values of the contained characters, in order.
A wide string is a contiguous sequence of wide characters terminated by and including the first NULL wide character. A pointer to a wide string points to its initial (lowest addressed) wide character. The length of a wide string is the number of wide characters preceding the NULL wide character, and the value of a wide string is the sequence of code values of the contained wide characters, in order.
Null-terminated byte strings are implemented as arrays of characters and are susceptible to the same problems as arrays. As a result, rules and recommendations for arrays should also be applied to null-terminated byte strings.
Recommendations
STR00-A. Use TR 24731 for remediation of existing string manipulation code
STR01-A. Use managed strings for development of new string manipulation code
STR02-A. Sanitize data passed to complex subsystems
STR03-A. Do not inadvertently truncate a null-terminated byte string
STR05-A. Prefer making string literals const-qualified
STR06-A. Don't assume that strtok() leaves its string argument unchanged
STR07-A. Use plain char for character data
Rules
STR30-C. Do not attempt to modify string literals
STR32-C. Null-terminate byte strings as required
STR33-C. Size wide character strings correctly
STR34-C. Cast characters to unsigned types before converting to larger integer sizes
STR35-C. Do not copy data from an unbounded source to a fixed-length array
Risk Assessment Summary
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
STR00-A |
3 (high) |
2 (probable) |
2 (medium) |
P12 |
L1 |
STR01-A |
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
STR02-A |
2 (medium) |
3 (likely) |
2 (medium) |
P12 |
L1 |
STR03-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
STR05-A |
1 (low) |
3 (likely) |
2 (medium) |
P6 |
L2 |
STR06-A |
2 (medium) |
2 (probable) |
3 (low) |
P12 |
L1 |
STR07-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
STR30-C |
1 (low) |
3 (likely) |
3 (low) |
P9 |
L2 |
STR31-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
STR32-C |
3 (high) |
2 (probable) |
2 (medium) |
P12 |
L1 |
STR33-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
STR34-C |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
STR35-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
Related Rules and Recommendations
References
[[ISO/IEC 9899-1999]] Section 7.1.1, "Definitions of terms", and Section 7.21, "String handling <string.h>"
[[Seacord 05]] Chapter 2, "Strings"