Some functions return a pointer to an object that cannot be modified without causing undefined behavior. These functions include the standard getenv(), setlocale(), localeconv(), and strerror() functions.
C99 C11, Section 7.22.4.6 [ISO/IEC 9899:19992011], defines getenv as follows:
The
getenvfunction returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program, but may be overwritten by a subsequent call to thegetenvfunction. If the specified name cannot be found, a null pointer is returned.
Consequently, if the string returned by getenv() must be altered, a local copy should be created. Altering the string returned by getenv() results in undefined behavior. See also undefined behavior 174184 of Annex J of C99C11.
Similarly, C99 , C11, Section 7.11.1.1 [ISO/IEC 9899:19992011], defines setlocale and localeconv as follows:
The pointer to string returned by the
setlocalefunction is such that a subsequent call with that string value and its associated category will restore that part of the programâs program's locale. The string pointed to shall not be modified by the program, but may be overwritten by a subsequent call to thesetlocalefunction.
...
Altering the string returned by setlocale() or the structure returned by localeconv() results in undefined behavior. See also undefined behavior 114behaviors 120 and 115 121 of Annex J of C99. Furthermore, C99 imposes the C standard imposes no requirements on the contents of the string by setlocale(). Consequently, a program should make no assumptions as to the string's internal contents or structure.
Finally, C99C11, Section 7.2124.6.2 [ISO/IEC 9899:19992011], states
The
strerrorfunction returns a pointer to the string, the contents of which are locale specific. The array pointed to shall not be modified by the program, but may be overwritten by a subsequent call to thestrerrorfunction.
Altering the string returned by strerror() results in undefined behavior. See also undefined behavior 174184 of Annex J of C99.
Noncompliant Code Example (getenv())
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
void trstr(char *str, char orig, char rep) {
while (*str != '\0') {
if (*str == orig) {
*str = rep;
}
str++;
}
}
/* ... */
char *env = getenv("TEST_ENV");
if (env == NULL) {
/* Handle error */
}
trstr(env,'"', '_');
/* ... */
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
const char *env;
char *copy_of_env;
env = getenv("TEST_ENV");
if (env == NULL) {
/* Handle error */
}
copy_of_env = (char *)malloc(strlen(env) + 1);
if (copy_of_env == NULL) {
/* Handle error */
}
strcpy(copy_of_env, env);
trstr(copy_of_env,'\"', '_');
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
const char *env;
char *copy_of_env;
env = getenv("TEST_ENV");
if (env == NULL) {
/* Handle error */
}
copy_of_env = strdup(env);
if (copy_of_env == NULL) {
/* Handle error */
}
trstr(copy_of_env,'\"', '_');
if (setenv("TEST_ENV", copy_of_env, 1) != 0) {
/* Handle error */
}
|
...
Tool | Version | Checker | Description | section|
|---|---|---|---|---|
Compass/ROSE | ||||
| Section | Can detect violations of this rule. In particular, it ensures that the result of |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
CERT C++ Secure Coding Standard: ENV30-CPP. Do not modify the string returned by getenv()
ISO/IEC 9899:19992011 Section 7.11.1.1, âThe "The setlocale function;â ," Section 7.11.2.1, âThe "The localeconv function;â ," Section 7.2022.4.56, "The getenv function;," Section 7.2124.6.2, "The strerror function"
ISO/IEC TR 17961 (Draft) Modifying the string returned by getenv, localeconv, setlocale, and strerror [libmod]
Bibliography
[Open Group 2004] getenv, setlocale, localeconv
...