 
                            A string literal is a sequence of zero or more multibyte characters enclosed in double-quotes ("xyz", for example). A wide string literal is the same, except prefixed by the letter L (L"xyz", for example).
At compile time, string literals are used to create an array of static duration and sufficient length to contain the character sequence and a null-termination character. It is unspecified whether these arrays are distinct. The behavior is undefined if a program attempts to modify string literals but frequently results in an access violation, as string literals are typically stored in read-only memory.
Do not attempt to modify a string literal. Use a named array of characters to obtain a modifiable string.
Risk Assessment
Modifying string literals can lead to abnormal program termination and results in undefined behavior that can be used in denial-of-service attacks.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| STR30-C | 1 (low) | 3 (likely) | 3 (low) | P9 | L2 | 
Examples of vulnerabilities resulting from the violation of this rule can be found on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 6.4.5, "String literals"
[[Summit 95]] comp.lang.c FAQ list - Question 1.32
[[Plum 91]] Topic 1.26, "strings - string literals"