...
After a call to the POSIX setenv() function or to another function that modifies the environment, the envp pointer may no longer reference the environment. POSIX [Open Group 2004] states that Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013] states:
Unanticipated unanticipated results may occur if setenv( ) changes the external variable environ. In particular, if the optional envp argument to main( ) is present, it is not changed, and as a result thus may point to an obsolete copy of the environment (as may any other copy of environ).
This noncompliant code example accesses the envp pointer after calling setenv():
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| CERT C++ Secure Coding Standard | ENV31-CPP. Do not rely on an environment pointer following an operation that may invalidate it |
Bibliography
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, setenv | ||
| [ISO/IEC 9899:2011] | Subclause J.5.1, "Environment Arguments" | ||
| [MSDN] | getenvgetenv, _wgetenvwenviron_putenv_s, _wputenv_s | [Open Group 2004] |
...