...
The getenv() function searches an environment list, provided by the host environment, for a string that matches the string pointed to by name. The set of environment names and the method for altering the environment list are implementation-defined.
Non-compliant Code Example 1
| Wiki Markup |
|---|
The contents of {{argv\[0\]}} can be manipulated by an attacker to cause a buffer overflow in the following program: |
| Code Block |
|---|
int main(int argc, char *argv[]) {
...
char prog_name[128];
strcpy(prog_name, argv[0]);
...
}
|
Non-compliant Code Example 2
Reading environment variables into fixed length arrays can also result in a buffer overflow.
| Code Block |
|---|
char buff[256];
strcpy(buff, (char *)getenv("EDITOR"));
|
Compliant Solution 1
| Wiki Markup |
|---|
The {{strlen()}} function should be used to determine the length of the strings referenced by {{argv\[0\]}} through {{argv\[argc-1\]}} so that adequate memory can be dynamically allocated: |
| Code Block |
|---|
int main(int argc, char *argv[]) {
...
char * prog_name = (char *)malloc(strlen(argv[0])+1);
if (prog_name != NULL) {
strcpy(prog_name, argv[1]);
}
else {
/* Couldn't get the memory - recover */
}
...
}
|
Compliant Solution 2
The strlen() function should be used to determine the length of environmental variables so that adequate memory can be dynamically allocated:
| Code Block |
|---|
char *editor;
char *buff;
editor = (char *)getenv("EDITOR");
if (editor) {
buff = (char *)malloc(strlen(editor)+1);
strcpy(buff, editor);
}
|
References
- ISO/IEC 9899-1999 5.1.2.2.1 Program startup
- ISO/IEC 9899-1999 7.20.4.5 The getenv function
