SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 44

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not make any assumptions about the size of environment variables , because an adversary might have full control over the environment. If the environment variable needs to be stored, then the length of the associated string should be calculated , and the storage dynamically allocated (see STR31-C. Guarantee that storage for strings has sufficient space for character data and the NULL null terminator).

Noncompliant Code Example

This noncompliant code example copies the string returned by getenv() into a fixed-size buffer.:

Code Block
bgColor#FFcccc
langc

void f() {
  char path[PATH_MAX]; /* requiresRequires PATH_MAX to be defined */
  strcpy(path, getenv("PATH"));
  /* useUse path */
}

Even if your platform assumes that $PATH is defined, defines PATH_MAX, and enforces that paths not have more than PATH_MAX characters, there is still no requirement that the $PATH environment variable still is not required to have less than PATH_MAX chars. And if it has more than PATH_MAX chars, a buffer overflow will result. Also, if $PATH is not defined, then strcpy() will attempt to dereference a null pointer.

Compliant Solution

In the following this compliant solution, the strlen() function is used to calculate the size of the string, and the required space is dynamically allocated.:

Code Block
bgColor#ccccff
langc

void f() {
  char *copypath = NULL;
  /* avoidAvoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = (char*) malloc(strlen(temp) + 1);
    if (copypath == NULL) {
      /* Handle error condition */
    } else {
      strcpy(path, temp);
    }
    /* Use path * use path */
  }
}
/
    free(path);
  }
}

Compliant Solution (POSIX or C2x)

In this compliant solution, the strdup() function is used to dynamically allocate a duplicate of the string:

Code Block
bgColor#ccccff
languagec
void f() {
  char *path = NULL;
  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = strdup(temp);
    if (path == NULL) {
      /* Handle error condition */
    }
    /* Use path */
    free(path);
  }
}

Risk Assessment

Making assumptions about the size of an environmental variable can result in a buffer overflow.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV01-C

high

High

likely

Likely

medium

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
 LANG.MEM.TO
 (general)

Buffer overrun
Type overrun
CodeSonar's taint analysis includes handling for taint introduced through the environment

Compass/ROSE

...



Can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

Klocwork
Include Page
Klocwork_V
Klocwork_V
ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
ABV.ITERATOR
ABV.MEMBER
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZE
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV01-a
CERT_C-ENV01-b
CERT_C-ENV01-c

Don't use unsafe C functions that do write to range-unchecked buffers
Avoid using unsafe string functions which may cause buffer overflows
Avoid overflow when writing to a buffer

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

669

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. ENV01-C

Checks for tainted NULL or non-null-terminated string (rec. partially covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as ENV01-CPP. Do not make assumptions about the size of an environment variable.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 7.20.4, "Communication with the environment"
\[[MITRE 07|AA. References#MITRE 07]\] [CWE ID 119|http://cwe.mitre.org/data/definitions/119.html], "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer"
\[[Open Group 04|AA. References#Open Group 04]\] Chapter 8, "Environment Variables"
\[[Viega 03|AA. References#Viega 03]\] Section 3.6, "Using Environment Variables Securely"

Related Guidelines

MITRE CWECWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-123, Write-what-where Condition
CWE-125, Out-of-bounds Read

Bibliography

[IEEE Std 1003.1:2013]Chapter 8, "Environment Variables"
[Viega 2003]Section 3.6, "Using Environment Variables Securely"


...

Image Added Image Added ENV00-C. Do not store the pointer to the string returned by getenv()      10. Environment (ENV)      Image Modified