The C Standard, 18.104.22.168, paragraph 4 [ISO/IEC 9899:2011], states
getenvfunction returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program but may be overwritten by a subsequent call to the
This paragraph gives an implementation the latitude, for example, to return a pointer to a statically allocated buffer. Consequently, do not store this pointer because the string data it points to may be overwritten by a subsequent call to the
getenv() function or invalidated by modifications to the environment. This string should be referenced immediately and discarded. If later use is anticipated, the string should be copied so the copy can be safely referenced as needed.
getenv() function is not thread-safe. Make sure to address any possible race conditions resulting from the use of this function.
strerror() functions have similar restrictions. Do not access the objects returned by any of these functions after a subsequent call.
Noncompliant Code Example
This noncompliant code example attempts to compare the value of the
TEMP environment variables to determine if they are the same:
This code example is noncompliant because the string referenced by
tmpvar may be overwritten as a result of the second call to the
getenv() function. As a result, it is possible that both
tempvar will compare equal even if the two environment variables have different values.
This compliant solution uses the
strcpy() functions to copy the string returned by
getenv() into a dynamically allocated buffer:
Compliant Solution (Annex K)
The C Standard, Annex K, provides the
getenv_s() function for getting a value from the current environment. However,
getenv_s() can still have data races with other threads of execution that modify the environment list.
Compliant Solution (Windows)
Microsoft Windows provides the
wdupenv_s() functions for getting a value from the current environment [MSDN]. The
_dupenv_s() function searches the list of environment variables for a specified name. If the name is found, a buffer is allocated; the variable's value is copied into the buffer, and the buffer's address and number of elements are returned. The
_wdupenv_s() functions provide more convenient alternatives to
_wgetenv_s() because each function handles buffer allocation directly.
The caller is responsible for freeing any allocated buffers returned by these functions by calling
Compliant Solution (POSIX or C2x)
POSIX provides the
strdup() function, which can make a copy of the environment variable string [IEEE Std 1003.1:2013]. The
strdup() function is also included in Extensions to the C Library—Part II [ISO/IEC TR 24731-2:2010]. Further, it is expected to be present in the C2x standard.
Storing the pointer to the string returned by
strerror() can result in overwritten data.
DF2681, DF2682, DF2683
|LDRA tool suite|
|Pointers returned by certain Standard Library functions should not be used following a subsequent call to the same or related function|
|CERT C: Rule ENV34-C||Checks for misuse of return value from nonreentrant standard function (rule fully covered)|
Key here (explains table format and definitions)
|C Secure Coding Standard||ENV00-C. Do not store objects that can be overwritten by multiple calls to getenv() and similar functions||Prior to 2018-01-12: CERT: Unspecified Relationship|
|ISO/IEC TR 24731-2||22.214.171.124, "The ||Prior to 2018-01-12: CERT: Unspecified Relationship|
|ISO/IEC TS 17961:2013||Using an object overwritten by ||Prior to 2018-01-12: CERT: Unspecified Relationship|
|[IEEE Std 1003.1:2013]||Chapter 8, "Environment Variables"|
XSH, System Interfaces,
|[ISO/IEC 9899:2011]||Subclause 7.22.4, "Communication with the Environment"|
Subclause 126.96.36.199, "The
Subclause K.188.8.131.52, "The
|[Viega 2003]||Section 3.6, "Using Environment Variables Securely"|