Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not make any assumptions about the size of environment variables because an adversary might have full control over the environment. If the environment variable needs to be stored, then the length of the associated string should be calculated , and the storage dynamically allocated . (See rule see STR31-C. Guarantee that storage for strings has sufficient space for character data and the NULL null terminator).)

Noncompliant Code Example

This noncompliant code example copies the string returned by getenv() into a fixed-size buffer.:

Code Block
bgColor#FFcccc
langc

void f() {
  char path[PATH_MAX]; /* requiresRequires PATH_MAX to be defined */
  strcpy(path, getenv("PATH"));
  /* useUse path */
}

Even if your platform assumes that $PATH is defined, defines PATH_MAX, and enforces that paths not have more than PATH_MAX characters, there is still no requirement that the $PATH environment variable still is not required to have less than PATH_MAX chars. And if it has more than PATH_MAX chars, a buffer overflow will result. Also, if $PATH is not defined, then strcpy() will attempt to dereference a null pointer.

Compliant Solution

In the following this compliant solution, the strlen() function is used to calculate the size of the string, and the required space is dynamically allocated.:

Code Block
bgColor#ccccff
langc

void f() {
  char *path = NULL;
  /* avoidAvoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = (char*) malloc(strlen(temp) + 1);
    if (path == NULL) {
      /* Handle error condition */
    } else {
      strcpy(path, temp);
    }
    /* use path Use path */
    free(path);
  }
}

Compliant Solution (POSIX or C2x)

In this compliant solution, the strdup() function is used to dynamically allocate a duplicate of the string:

Code Block
bgColor#ccccff
languagec
void f() {
  char *path = NULL;
  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = strdup(temp);
    if (path == NULL) {
      /* Handle error condition */
    }
    /* Use path */
    free(path);
  }
}

Risk Assessment

Making assumptions about the size of an environmental variable can result in a buffer overflow.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV01-C

high

High

likely

Likely

medium

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

section Sectioncan

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.TO
(general)

Buffer overrun
Type overrun
CodeSonar's taint analysis includes handling for taint introduced through the environment

Compass/ROSE

 

 



Can detect violations of the rule by using the same method as

rule

STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

Klocwork
Include Page
Klocwork_V
Klocwork_V
ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
ABV.ITERATOR
ABV.MEMBER
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZE
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV01-a
CERT_C-ENV01-b
CERT_C-ENV01-c

Don't use unsafe C functions that do write to range-unchecked buffers
Avoid using unsafe string functions which may cause buffer overflows
Avoid overflow when writing to a buffer

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

669

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. ENV01-C

Checks for tainted NULL or non-null-terminated string (rec. partially covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

CERT C++ Secure Coding Standard: ENV01-CPP. Do not make assumptions about the size of an environment variable

...

...

...

Improper Restriction of Operations within the Bounds of

...

a Memory Buffer

...


CWE-123, Write-what-where Condition
CWE-125, Out-of-bounds Read

Bibliography

[IEEE Std 1003.1:2013]Chapter 8, "Environment Variables"
[Viega 2003]Section 3.6, "Using Environment Variables Securely"


...

Image Added Image Added

Bibliography

Wiki Markup
\[[Open Group 2004|AA. Bibliography#Open Group 04]\] Chapter 8, "Environment Variables"
\[[Viega 2003|AA. Bibliography#Viega 03]\] Section 3.6, "Using Environment Variables Securely"

ENV00-C. Do not store the pointer to the string returned by getenv()      10. Environment (ENV)      Image Modified