Page History

Some implementations provide a nonportable environment pointer that is valid when main() is called but may be invalidated by operations that modify the environment.

The C Standard, J.5.2 [ISO/IEC 9899:2024], states

In a hosted environment, the main function receives a third argument, char *envp[], that points to a null-terminated array of pointers to char, each of which points to a string that provides information about the environment for this execution of the program (5.1.2.3.2).

Consequently, under a hosted environment supporting this common extension, it is possible to access the environment through a modified form of main():

main(int argc, char *argv[], char *envp[]){ /* ... */ }

However, modifying the environment by any means may cause the environment memory to be reallocated, with the result that envp now references an incorrect location. For example, when compiled with GCC 4.8.1

Under many hosted environments it is possible to access the environment through a modified form of main():

main(int argc, char *argv[], char *envp[])

According to C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\]:

Wiki Markup
In a hosted environment, the main function receives a third argument, {{char \*envp\[\]}}, that points to a NULL-terminated array of pointers to {{char}}, each of which points to a string that provides information about the environment for this execution of the program.

However, modifying the environment by using the {{setenv()}} or {{putenv()}} functions, or by any other means, may cause the environment memory to be reallocated, with the result that {{envp}} now references an incorrect location. For example, POSIX says the following \[[Open Group 04|AA. C References#Open Group 04]\]

Unanticipated results may occur if setenv() changes the external variable environ.  In particular, if the optional envp argument to main() is present, it is not changed, and thus may point to an obsolete copy of the environment (as may any other copy of environ).

According to the Microsoft Visual Studio 2005/.NET Framework 2.0 help pages:

The getenv function searches the list of environment variables for varname. getenv is not case sensitive in the Windows operating system. getenv and _putenv use the copy of the environment pointed to by the global variable _environ to access the environment. getenv operates only on the data structures accessible to the run-time library and not on the environment "segment" created for the process by the operating system. Therefore, programs that use the envp argument to main or wmain may retrieve invalid information.

When compiled with GCC version 3.4.6 and run on a 32-bit Intel GNU/Linux test machine, the following code:,

#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;

/* ... */

int main(int argc, const char const *argv[], const char const *envp[]) {
   printf("environ:  %p\n", environ);
   printf("envp:     %p\n", envp);
   setenv("MY_NEW_VAR", "new_value", 1);
   puts("--Added MY_NEW_VAR--");
   printf("environ:  %p\n", environ);
   printf("envp:     %p\n", envp);
  return 0;
}

Yields:yields

% ./envp-environ
environ: 0xbf8656ec
envp:    0xbf8656ec
--Added MY_NEW_VAR--
environ: 0x804a008
envp:    0xbf8656ec

It is evident from these results that the environment has been relocated as a result of the call to setenv().

...

The external variable environ is updated to refer to the current environment; the envp parameter is not.

An environment pointer may also become invalidated by subsequent calls to getenv(). (See ENV34-C. Do not store pointers returned by certain functions for more information.)

Noncompliant Code Example (POSIX)

After a call to the POSIX setenv() function or other to another function that modifies the environment, the envp pointer may no longer reference the current environment. The Portable Operating System Interface (POSIX^®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013], states

Unanticipated results may occur if setenv() changes the external variable environ. In particular, if the optional envp argument to main() is present, it is not changed, and thus may point to an obsolete copy of the environment (as may any other copy of environ).

This noncompliant code example accesses the envp pointer after calling setenv():

#include <stdio.h>
#include <stdlib.h>
 
int main(int argc, const char const *argv[], const char const *envp[]) {
   size_t i;
   if (setenv("MY_NEW_VAR", "new_value", 1);
 ) != 0) {
    /* Handle error */
  }
  if (envp != NULL) {
      for (size_t i = 0; envp[i] != NULL; i++i) {
         puts(envp[i]);
      }
   }
   return 0;
}

Because envp may no longer points point to the current environment, this program has undefined unanticipated behavior.

Compliant Solution (POSIX)

Use environ in place of envp when defined.:

#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;

int main(void) {
  if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
    /* Handle error */
  }
  if (environ != NULL) {
    for (size_t i = 0; environ[i] != NULL; ++i) {
      puts(environ[i]);
    }
  }
  return 0;
}

Noncompliant Code Example (Windows)

After a call to the Windows _putenv_s() function or to another function that modifies the environment, the envp pointer may no longer reference the environment.

According to the Visual C++ reference [MSDN]

The environment block passed to main and wmain is a "frozen" copy of the current environment. If you subsequently change the environment via a call to _putenv or _wputenv, the current environment (as returned by getenv / _wgetenv and the _environ / _wenviron variable) will change, but the block pointed to by envp will not change.

This noncompliant code example accesses the envp pointer after calling _putenv_s():

#include <stdio. */
h>
#include <stdlib.h>
 
int main(int argc, const char *argv[], const char *argvenvp[]) {
  if (_putenv_s("MY_NEW_VAR", "new_value") != 0) {
    /* Handle error */
  }
  if (envp != NULL) {
    for (size_t i = 0; envp[i] != NULL; ++i) {
      puts(envp[i]);
    }
  }
  return 0;
}

Because envp no longer points to the current environment, this program has unanticipated behavior.

Compliant Solution (Windows)

This compliant solution uses the _environ variable in place of envp:

#include <stdio.h>
#include <stdlib.h>
 
_CRTIMP extern char **_environ;

int main(int argc, const char *argv[]) {
  if (_putenv_s setenv("MY_NEW_VAR", "new_value", 1);
 ) != 0) {
    /* Handle error */
  }
  if (_environ != NULL) {
      for (size_t i = 0; _environ[i] != NULL; i++i) {
         puts(_environ[i]);
      }
   }
   return 0;
}

Note: if you have a great deal of unsafe envp code, you could save time in your remediation by aliasing. Change:

Compliant Solution

This compliant solution can reduce remediation time when a large amount of noncompliant envp code exists. It replaces

int 

main(int argc, char *argv[], char *envp[]) {
  /* ... */
}

To:with

#if defined (_POSIX_) || defined (__USE_POSIX)
  extern char **environ;
  #define envp environ

/* ... */
#elif defined(_WIN32)
  _CRTIMP extern char **_environ;
  #define envp _environ
#endif

int main(int argc, char *argv[]) {
  /* ... */
}

This compliant solution may need to be extended to support other implementations that support forms of the external variable environ.

Risk Assessment

Using the envp environment pointer after the environment has been modified may can result in undefined behavior.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

...

Related Guidelines

Key here (explains table format and definitions)

Bibliography

...

...

...

...

...

...

Image Added Image Added Image Added \[[Open Group 04|AA. C References#Open Group 04]\] [{{setenv()}}|http://www.opengroup.org/onlinepubs/009695399/functions/setenv.html]ENV30-C. Do not modify the string returned by getenv()      10. Environment (ENV)       ENV32-C. No atexit handler should terminate in any way other than by returning