The POSIX function
putenv() is used to set environment variable values. The
putenv() function does not create a copy of the string supplied to it as an argument; rather, it inserts a pointer to the string into the environment array. If a pointer to a buffer of automatic storage duration is supplied as an argument to
putenv(), the memory allocated for that buffer may be overwritten when the containing function returns and stack memory is recycled. This behavior is noted in the Open Group Base Specifications, Issue 6 [Open Group 2004]:
A potential error is to call
putenv()with an automatic variable as the argument, then return from the calling function while
stringis still part of the environment.
The actual problem occurs when passing a pointer to an automatic variable to
putenv(). An automatic pointer to a static buffer would work as intended.
Noncompliant Code Example
In this noncompliant code example, a pointer to a buffer of automatic storage duration is used as an argument to
putenv() [Dowd 2006]. The
TEST environment variable may take on an unintended value if it is accessed after
func() has returned and the stack frame containing
env has been recycled.
Note that this example also violates DCL30-C. Declare objects with appropriate storage durations.
Compliant Solution (
This compliant solution uses a static array for the argument to
According to the [Open Group 2004] entry for
...the string pointed to by string shall become part of the environment, so altering the string shall change the environment.
This means that the call to
putenv() is only necessary the first time
func() is called, since subsequent changes to the string update the environment. If
func() were called more than once, an additional variable could be added to avoid calling it unnecessarily.
Compliant Solution (Heap Memory)
This compliant solution dynamically allocates memory for the argument to
setenv() function is preferred over this function [Open Group 2004]. In particular, using
putenv() will necessarily leak memory if called multiple times for the same environment variable, due to restrictions on when you can safely free the old value. According to the [Open Group 2004] entry for
Although the space used by string is no longer used once a new string which defines name is passed to putenv(), if any thread in the application has used getenv() to retrieve a pointer to this variable, it should not be freed by calling free(). If the changed environment variable is one known by the system (such as the locale environment variables) the application should never free the buffer used by earlier calls to putenv() for the same variable.
Compliant Solution (
setenv() function allocates heap memory for environment variables, which eliminates the possibility of accessing volatile stack memory:
setenv() is easier and consequently less error prone than using
Providing a pointer to a buffer of automatic storage duration as an argument to
putenv() may cause that buffer to take on an unintended value. Depending on how and when the buffer is used, it can cause unexpected program behavior or possibly allow an attacker to run arbitrary code.
|Axivion Bauhaus Suite|
|(customization)||Users can add a custom check for all uses of |
Usage of system properties (environment variables) should be restricted
|CERT C: Rule POS34-C||Checks for use of automatic variable as putenv-family function argument (rule fully covered)|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Key here (explains table format and definitions)
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-252/CWE-253/CWE-391 and ERR33-C/POS34-C
Independent( ERR33-C, POS54-C, FLP32-C, ERR34-C)
Intersection( CWE-252, CWE-253) = Ø
CWE-391 = Union( CWE-252, CWE-253)
CWE-391 = Union( ERR33-C, POS34-C, list) where list =
- Ignoring return values of functions outside the C or POSIX standard libraries
|[Dowd 2006]||Chapter 10, "UNIX Processes"|
|[ISO/IEC 9899:2011]||Section 6.2.4, "Storage Durations of Objects"|
Section 7.22.3, "Memory Management Functions"
|[Open Group 2004]|