The type of a narrow string literal is array of char and the type of a wide string literal is array of wchar_t. However, string literals (of both types) are notionally constant and should consequently be protected by const qualification. This recommendation is a specialization of DCL00-C. Const-qualify immutable objects and also supports rule STR30-C. Do not attempt to modify string literals.
Adding const qualification may propagate through a program; as you add const qualifiers, still more become necessary. This phenomenon is sometimes called "const-poisoning." Const-poisoning can frequently lead to violations of EXP05-C. Do not cast away a const qualification. While const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.
In the following noncompliant code, the const keyword has been omitted.
char *c = "Hello"; |
If a statement such as {{c\[0\] = 'C'}} were placed following the above declaration, the code is likely to compile cleanly, but the result of the assignment is undefined as string literals are considered constant. |
In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempts to assign them to different values is an error.
const char *c = "Hello"; |
In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array which has been initialized using the contents of the corresponding string literal.
char c[] = "Hello"; |
Consequently, a statement such as {{c\[0\] = 'C'}} is valid and behaves as expected. |
In the following noncompliant code, the const keyword has been omitted.
wchar_t *c = L"Hello"; |
If a statement such as {{c\[0\] = L'C'}} were placed following the above declaration, the code is likely to compile cleanly, but the result of the assignment is undefined as string literals are considered constant. |
In this compliant solution, the characters referred to by the pointer c are const-qualified, meaning that any attempts to assign them to different values is an error.
wchar_t const *c = L"Hello"; |
In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array which has been initialized using the contents of the corresponding string literal.
wchar_t c[] = L"Hello"; |
Consequently, a statement such as {{c\[0\] = L'C'}} is valid and behaves as expected. |
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
STR05-C |
low |
unlikely |
low |
P3 |
L3 |
The LDRA tool suite V 7.6.0 can detect violations of this recommendation.
Compass/ROSE can detect violations of this recommendation.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[Corfield 93|AA. C References#Corfield 93]\] \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.8, "Initialization" \[[Lockheed Martin 2005|AA. C References#Lockheed Martin 05]\] AV Rule 151.1 |
07. Characters and Strings (STR)