...
Because strtok() modifies its argument, the string is subsequently unsafe and cannot be used in its original form. If you need to preserve the original string, copy it into a buffer and pass the address of the buffer to strtok() instead of the original string.
Non-Compliant Code Example
In this example, the strtok() function is used to parse the first argument into colon-delimited tokens; it outputs each word from the string on a new line. Assume that PATH is "usr/bin:/usr/sbin:/sbin".
...
However, after the while loop ends, path will have been modified to look like this: "/usr/bin\0/bin\0/usr/sbin\0/sbin\0". This is an issue on several levels. If we check our local path variable, we will only see /usr/bin now. Even worse, we have unintentionally changed the environment variable PATH, which could cause unintended results.
Compliant Solution
In this solution the string being tokenized is copied into a temporary buffer which is not referenced after the calls to strtok():
...
Another possibility is to provide your own implementation of strtok() which does not modify the initial arguments.
Risk Assessment
To quote the Linux Programmer's Manual (man) page on strtok(3):
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR06-A | 2 (medium) | 2 (probable) | 3 (low) | P12 | L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21.5.8, "The strtok function" \[Unix Man page\] strtok(3) |
...