SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 30 Next »

The POSIX function putenv() is used to set environment variable values. The putenv() function does not create a copy of the string supplied to it as a parameter, rather it inserts a pointer to the string into the environment array. If an automatic variable is supplied as a parameter to putenv(), the memory allocated for that variable may be overwritten when the containing function returns and stack memory is recycled. This behavior is noted in the Open Group Base Specifications Issue 6 [[Open Group 04]]:

A potential error is to call putenv() with an automatic variable as the argument, then return from the calling function while string is still part of the environment.

Non-Compliant Code Example

In this example derived from Dowd, an automatic variable is used to modify the environment via a call to putenv(). If the containing function returns and the stack frame that contains env is recycled, the ENV environment variable may take on an unexpected value. Note that this example also violates rule DCL30-C. Do not refer to an object outside of its lifetime.

int func(char *var) {
  char env[1024];

  if (snprintf(env, sizeof(env),"ENV=%s", var) < 0) {
    /* Handle Error */
  }

  return putenv(env);
}

Compliant Solution

To make this example compliant env should not be declared as an automatic variable.

int func(char *var) {
  static char env[1024];

  if (snprintf(env, sizeof(env),"ENV=%s", var) < 0) {
    /* Handle Error */
  }

  return  putenv(env);
}

Risk Assessment

Using an automatic variable as an argument to putenv() may cause that variable to take on an unintended value. Depending on how and when that variable is used, this can cause unexpected program behavior, or possibly allow an attacker to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV80-C

3 (high)

1 (unlikely)

1 (high)

P3

L3

Examples of vulnerabilities resulting from the violation of this rule can be found on the CERT website.

References

[[Open Group 04]] The putenv() function
[[ISO/IEC 9899-1999]] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions"
[[Dowd]]
[[DCL30-C. Do not refer to an object outside of its lifetime]]

  • No labels