A string literal is a sequence of zero or more multibyte characters enclosed in double-quotes ("xyz", for example). A wide string literal is the same, except prefixed by the letter L (L"xyz", for example).
At compile time, string literals are used to create an array of static duration and sufficient length to contain the character sequence and a null termination character. It is unspecified whether these arrays are distinct. The behavior is undefined if a program attempts to modify string literals but frequently results in an access violation, as string literals are typically stored in read-only memory.
Do not attempt to modify a string literal. Use a named array of characters to obtain a modifiable string.
Modifying string literals can lead to abnormal program termination and possibly denial-of-service attacks.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
STR30-C |
1 (low) |
3 (likely) |
3 (low) |
P9 |
L2 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.4.5, "String literals" \[[Summit 95|AA. C References#Summit 95]\] comp.lang.c FAQ list - Question 1.32 \[[Plum 91|AA. C References#Plum 91]\] Topic 1.26, "strings - string literals" |
STR07-A. Use plain char for character data 07. Characters and Strings (STR)