Page History

The POSIX function {{putenv()}} is used to set environment variable values. The {{putenv()}} function does not create a copy of the string supplied to it as an argument; rather, it inserts a pointer to the string into the environment array. If a pointer to a buffer of automatic storage duration is supplied as an argument to {{putenv()}}, the memory allocated for that buffer may be overwritten when the containing function returns and stack memory is recycled. This behavior is noted in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\]:

In this noncompliant code example, a pointer to a buffer of automatic storage duration is used as an argument to {{putenv()}} \[[Dowd 06|AA. C References#Dowd 06]\]. The {{TEST}} environment variable may take on an unintended value if it is accessed once {{func()}} has returned and the stack frame containing {{env}} has been recycled.

The POSIX {{setenv()}} function is preferred over this function \[[Open Group 04|AA. C References#Open Group 04]\].

\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 10, "UNIX Processes"
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 686|http://cwe.mitre.org/data/definitions/686.html], "Function Call With Incorrect Argument Type," [CWE ID 562|http://cwe.mitre.org/data/definitions/562.html], and "Return of Stack Variable Address"
[{{putenv()}}|http://www.opengroup.org/onlinepubs/009695399/functions/putenv.html], [{{setenv()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setenv.html]
\[[Open Group 04|AA. C References#Open Group 04]\]