CertC-STR05¶
Use pointers to const when referring to string literals
Required inputs: IR
The type of a narrow string literal is an array of
char, and the type of a wide string literal is an array of
wchar_t. However, string literals (of both types) are notionally
constant and should consequently be protected by
const qualification. This recommendation is a specialization of
DCL00-C.
Const-qualify immutable objects and also supports
STR30-C.
Do not attempt to modify string literals.
Adding
const qualification may propagate through a program; as
const qualifiers are added, still more become necessary. This
phenomenon is sometimes called const-poisoning. Const-poisoning can
frequently lead to violations of
EXP05-C.
Do not cast away a const qualification. Although
const qualification is a good idea, the costs may outweigh the
value in the remediation of existing code.
Noncompliant Code Example (Narrow String Literal)
In this noncompliant code example, the
const keyword has been omitted:
char *c = "Hello";
If a statement such as
c[0] = 'C' were placed following the declaration in the
noncompliant code example, the code is likely to compile cleanly, but the
result of the assignment would be
undefined
because string literals are considered constant.
Compliant Solution (Immutable Strings)
In this compliant solution, the characters referred to by the pointer
c are
const-qualified, meaning that any attempt to assign them to
different values is an error:
const char *c = "Hello";
Compliant Solution (Mutable Strings)
In cases where the string is meant to be modified, use initialization instead
of assignment. In this compliant solution,
c is a modifiable
char array that has been initialized using the contents of the
corresponding string literal:
char c[] = "Hello";
Consequently, a statement such as
c[0] = 'C' is valid and behaves as expected.
Noncompliant Code Example (Wide String Literal)
In this noncompliant code example, the
const keyword has been omitted:
wchar_t *c = L"Hello";
If a statement such as
c[0] = L'C' were placed following this declaration, the code is
likely to compile cleanly, but the result of the assignment would be
undefined because
string literals are considered constant.
Compliant Solution (Immutable Strings)
In this compliant solution, the characters referred to by the pointer
c are
const-qualified, meaning that any attempt to assign them to
different values is an error:
wchar_t const *c = L"Hello";
Compliant Solution (Mutable Strings)
In cases where the string is meant to be modified, use initialization instead
of assignment. In this compliant solution,
c is a modifiable
wchar_t array that has been initialized using the contents of
the corresponding string literal:
wchar_t c[] = L"Hello";
Consequently, a statement such as
c[0] = L'C' is valid and behaves as expected.
Risk Assessment
Modifying string literals causes undefined behavior, resulting in abnormal program termination and denial-of-service vulnerabilities.
| Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| STR05-C | Low | Unlikely | Low | P3 | L3 |
Bibliography
| [ Corfield 1993] | |
| [ Lockheed Martin 2005] | AV Rule 151.1 |
Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
nonconst_string_literal |
String literal should only be used as ‘const char*’ |
None |
False |
Options
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
This rule has no individual options.