Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki MarkupDo not make any assumptions about the size of environment variables , as because an adversary could might have full control over the environment. Calculate the length of the strings yourself, and dynamically allocate memory for your copies \[[If the environment variable needs to be stored, the length of the associated string should be calculated and the storage dynamically allocated (see STR31-C. Guarantee that storage for strings has sufficient space for character data and the NULL terminator]\]null terminator).

...

Noncompliant Code Example

This non-compliant noncompliant code example copies the string returned by getenv() into a fixed-size buffer. This can result in a buffer overflow.:

Code Block
bgColor#FFcccc
langc

char *temp;
char copy[16];

temp = getenv("TEST_ENV");
if (temp != NULL) {void f() {
  char path[PATH_MAX]; /* Requires PATH_MAX to be defined */
  strcpy(copypath, tempgetenv("PATH"));
  /* Use path */
}

Compliant Solution

Even if your platform assumes that $PATH is defined, defines PATH_MAX, and enforces that paths not have more than PATH_MAX characters, the $PATH environment variable still is not required to have less than PATH_MAX chars. And if it has more than PATH_MAX chars, a buffer overflow will result. Also, if $PATH is not defined, then strcpy() will attempt to dereference a null pointer.

Compliant Solution

In this compliant solution, Use the strlen() function is used to calculate the size of the string, and dynamically allocate the required space .is dynamically allocated:

Code Block
bgColor#ccccff
langc
void f() {
  
char *temp;
char *copypath = NULL;

if ((  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("TEST_ENVPATH"));
  if (temp != NULL) {
  copy  path = (char *) malloc(strlen(temp) + 1);
    if (copypath !== NULL) {
    strcpy(copy  /* Handle error condition */
    } else {
      strcpy(path, temp);
    }
    /* Use path */
    free(path);
  }
}

Compliant Solution (POSIX or C2x)

In this compliant solution, the strdup() function is used to dynamically allocate a duplicate of the string:

Code Block
bgColor#ccccff
languagec
void f() {
  char *path = NULL;
  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = strdup(temp);
    if (path == NULL)else {
      /* handleHandle error condition */
    }
    /* Use path */
    free(path);
  }
}

Risk Assessment

Making assumptions about the size of an environmental variable could can result in a buffer overflow attack.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV01-

A

C

high

High

likely

Likely

low

Medium

P27

P18

L1

Automated Detection

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.TO
(general)

Buffer overrun
Type overrun
CodeSonar's taint analysis includes handling for taint introduced through the environment

Compass/ROSE



Can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

Klocwork
Include Page
Klocwork_V
Klocwork_V
ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
ABV.ITERATOR
ABV.MEMBER
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZE
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV01-a
CERT_C-ENV01-b
CERT_C-ENV01-c

Don't use unsafe C functions that do write to range-unchecked buffers
Avoid using unsafe string functions which may cause buffer overflows
Avoid overflow when writing to a buffer

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

669

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. ENV01-C

Checks for tainted NULL or non-null-terminated string (rec. partially covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables"
\[[Viega 03|AA. C References#Viega 03]\] Section 3.6, "Using Environment Variables Securely"

Related Guidelines

MITRE CWECWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-123, Write-what-where Condition
CWE-125, Out-of-bounds Read

Bibliography

[IEEE Std 1003.1:2013]Chapter 8, "Environment Variables"
[Viega 2003]Section 3.6, "Using Environment Variables Securely"


...

Image Added Image Added Image Added ENV00-A. Do not store the pointer to the string returned by getenv()      10. Environment (ENV)       ENV02-A. Beware of multiple environment variables with the same name