SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not make any assumptions about the size of environment variables , as because an adversary could might have full control over the environment. Calculate If the environment variable needs to be stored, the length of the strings yourself, and dynamically allocate memory for your copies. There is nothing you can do to avoid the race conditions inherent here, but you can limit your exposure.

Non-Compliant Coding Example

associated string should be calculated and the storage dynamically allocated (see STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator).

Noncompliant Code Example

This noncompliant code example copies the string returned by getenv() into a fixed-size buffer:This non-compliant code example copies into a buffer of fixed size. This can result in a buffer overflow.

Code Block
bgColor#FFcccc
lang

char *temp;
char copy[16];

temp = getenv("TEST_ENV");

if(temp != NULL)
  strcpy(buff, temp);

Compliant Solution

c
void f() {
  char path[PATH_MAX]; /* Requires PATH_MAX to be defined */
  strcpy(path, getenv("PATH"));
  /* Use path */
}

Even if your platform assumes that $PATH is defined, defines PATH_MAX, and enforces that paths not have more than PATH_MAX characters, the $PATH environment variable still is not required to have less than PATH_MAX chars. And if it has more than PATH_MAX chars, a buffer overflow will result. Also, if $PATH is not defined, then strcpy() will attempt to dereference a null pointer.

Compliant Solution

In this compliant solution, the strlen() function is used to calculate the size of the string, and the required space is dynamically allocated:Use strlen to calculate size and dynamically allocate space.

Code Block
bgColor#ccccff
langc
void f() {
  char *temp;
char *copy;

if ((path = NULL;
  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("TEST_ENVPATH"));
  if (temp != NULL) {
    copypath = (char*) malloc(strlen(temp) + 1);

    if (copypath !== NULL) {
      /* Handle error condition */
    } else {
      strcpy(copypath, temp);
    }
    /* Use path */
    free(path);
  }
}

Compliant Solution (POSIX or C2x)

In this compliant solution, the strdup() function is used to dynamically allocate a duplicate of the string:

Code Block
bgColor#ccccff
languagec
void f() {
  char *path = NULL;
  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = strdup(temp);
    if (path == NULL)  else {
      /* handleHandle error condition */
    }
}
else {
  return -1;
}

Risk Assessment

    /* Use path */
    free(path);
  }
}

Risk Assessment

Making assumptions about the size of an environmental variable can result in a buffer overflow.

Recommendation

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV00-A

1 (low)

1 (unlikely)

3 (low)

P3

L3

References

ENV01-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
 LANG.MEM.TO
 (general)

Buffer overrun
Type overrun
CodeSonar's taint analysis includes handling for taint introduced through the environment

Compass/ROSE



Can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

Klocwork
Include Page
Klocwork_V
Klocwork_V
ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
ABV.ITERATOR
ABV.MEMBER
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZE
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV01-a
CERT_C-ENV01-b
CERT_C-ENV01-c

Don't use unsafe C functions that do write to range-unchecked buffers
Avoid using unsafe string functions which may cause buffer overflows
Avoid overflow when writing to a buffer

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

669

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. ENV01-C

Checks for tainted NULL or non-null-terminated string (rec. partially covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

MITRE CWECWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-123, Write-what-where Condition
CWE-125, Out-of-bounds Read

Bibliography

[IEEE Std 1003.1:2013]Chapter 8, "Environment Variables"
[Viega 2003]Section 3.6, "Using Environment Variables Securely"


...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 7.20.4, "Communication with the environment" \[[Open Group 04|AA. C References#Open Group 04]\] Chapter 8, "Environment Variables", [strdup|http://www.opengroup.org/onlinepubs/009695399/functions/strdup.html] \[[Viega 03|AA. C References#Viega 03]\] Section 3.6, "Using Environment Variables Securely"