Some functions in the C standard library are not guaranteed to be reentrant with respect to threads. Some functions (such as strtok() and asctime()) return a pointer to the result stored in function-allocated memory on a per-process basis. Other functions (such as rand()) store state information in function-allocated memory on a per-process basis. Multiple threads invoking the same function can cause concurrency problems, which often result in abnormal behavior and can cause more serious vulnerabilities such as abnormal termination, denial-of-service attack, and data integrity violations.
As per the N1401-C1X document, the following library functions are not required to avoid data races:
rand()getenv()strtok()strerror()asctime()ctime()
Section 2.9.1 of the System Interfaces volume of POSIX.1-2008 has a much longer list of functions that are not required to be thread safe.
...
Noncompliant Code Example
Consider a multithreaded application that encounters an error while calling a system function. The strerror() function returns a human-readable error string given an error number. According to C99, Section 7.22.6.2 specifically states that strerror() is not required to avoid data races. Conventionally it could rely on a static array that maps error numbers to error strings, and that array might be accessible and modifiable by other threads.
...