SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 67

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 68

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Some functions return a pointer to a an object that cannot be modified without causing undefined behavior. These functions include the standard getenv(), setlocale(), localeconv(), and strerror() functions.

...

Consequently, if the string returned by getenv() needs to must be altered, a local copy should be created. Altering the string returned by getenv() results in undefined behavior.

...

Altering the string returned by setlocale() or the structure returned by localeconv() results in undefined behavior. Furthermore, C99 imposes no requirements on the contents of the string by setlocale(). Consequently, a program should make no assumptions as to the string's internal contents or structure.

Wiki Markup
Finally, C99, Section 7.21.6.2 \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] states:

The strerror function returns a pointer to the string, the contents of which are locale specific. The array pointed to shall not be modified by the program, but may be
overwritten by a subsequent call to the strerror function.

...

Code Block
bgColor#ffcccc
void trstr(char *str, char orig, char rep) {
  while (*str != '\0') {
    if (*str == orig) {
      *str = rep;
    }
    str++;
  }
}

/* ... */

char *env = getenv("TEST_ENV");
if (env == NULL) {
  /* Handle error */
}

trstr(env,'"', '_');


/* ... */

Compliant Solution (getenv()) (

...

Local Copy)

For the case where the intent of the noncompliant code example is to use the modified value of the environment variable locally and not modify the environment, this compliant solution makes a local copy of that string value and then modifies the local copyit.

Code Block
bgColor#ccccFF
const char *env;
char *copy_of_env;

env = getenv("TEST_ENV");
if (env == NULL) {
  /* Handle error */
}

copy_of_env = (char *)malloc(strlen(env) + 1);
if (copy_of_env == NULL) {
  /* Handle error */
}

strcpy(copy_of_env, env);
trstr(copy_of_env,'\"', '_');

...

Depending on the implementation, modifying the object pointed to by the return value of these functions causes undefined behavior. Even if the modification succeeds, the modified object may can be overwritten by a subsequent call to the getenv(), setlocale(), localeconv(), or strerror() functions.

...

Compass/ROSE can detect violations of this rule. In particular, it ensures that the result of getenv() is stored into in a const variable.

Related Vulnerabilities

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.11.1.1, “The {{setlocale}} function”,function;” Section 7.11.2.1, “The {{localeconv}} function”,function;” Section 7.20.4.5, "The {{getenv}} function;", Section 7.21.6.2, "The {{strerror}} function"
\[[Open Group 04|AA. C References#Open Group 04]\] [getenv|http://www.opengroup.org/onlinepubs/000095399/functions/getenv.html], [setlocale|http://www.opengroup.org/onlinepubs/009695399/functions/setlocale.html], [localeconv|http://www.opengroup.org/onlinepubs/009695399/functions/localeconv.html]

...