SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 131

changes.mady.by.user Jill Britton

Saved on

compared with

New Version Current

changes.mady.by.user Joerg Herter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

According to the [Open Group 2004] entry for putenv():

...the string pointed to by string shall become part of the environment, so altering the string shall change the environment.

This means that the call to putenv() is only necessary the first time func() is called, since subsequent changes to the string update the environment. If func() were called more than once, an additional variable could be added to avoid calling it unnecessarily.

...

Providing a pointer to a buffer of automatic storage duration as an argument to putenv() may cause that buffer to take on an unintended value. Depending on how and when the buffer is used, it can cause unexpected program behavior or possibly allow an attacker to run arbitrary code.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

POS34-C

High

highUnlikely

unlikelyYes

mediumNo

P6

L2

Automated Detection

PRQA QA-CPartially implemented

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

putenv-arg-local

Partially checked + soundly supported 
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-POS34
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
(customization)
BADFUNC.PUTENV
Users can add a custom check for all uses of putenv().
Use of putenv
Compass/ROSE




Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5024
Klocwork

Include Page
Klocwork_V
Klocwork_V

CERT.PUTENV.AUTO_VARIABLE


Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-POS34-a
CERT_C-POS34-b

Usage of system properties (environment variables) should be restricted
Do not call putenv() with a pointer to an automatic variable as the argument

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2601

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule POS34-CChecks for use of automatic variable as putenv-family function argument (rule fully covered)
RuleChecker

Include Page

PRQA QA-C_v

RuleChecker_V
RuleChecker_V

putenv-arg-localPartially checkedPRQA QA-C_v5024

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

[Dowd 2006]Chapter 10, "UNIX Processes"
[ISO/IEC 9899:20112024]Section 6.2.4, "Storage Durations of Objects"
Section 7.2224.3, "Memory Management Functions"
[Open Group 2004]putenv()
setenv()

...