Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated references from C11->C23

Some implomentations implementations provide a nonportable environment pointer that is valid when main() is called but may be invalidated by operations that modify the environment.

The C Standard, J.5.1 2 [ISO/IEC 9899:20112024], states:

In a hosted environment, the main function receives a third argument, char *envp[], that points to a null-terminated array of pointers to char, each of which points to a string that provides information about the environment for this execution of the program (5.1.2.3.2).

Consequently, under a hosted environment supporting this common extension, it is possible to access the environment through a modified form of main():

...

An environment pointer may also become invalidated by subsequent calls to getenv(). (see See ENV34-C. Do not store pointers returned by certain functions for more information.).

Noncompliant Code Example (POSIX)

After a call to the POSIX setenv() function or to another function that modifies the environment, the envp pointer may no longer reference the current environment. The Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013], states:

Unanticipated results may occur if setenv() changes the external variable environ. In particular, if the optional envp argument to main() is present, it is not changed, and thus may point to an obsolete copy of the environment (as may any other copy of environ).

...

Because envp may no longer point to the current environment, this program has undefined unanticipated behavior.

Compliant Solution (POSIX)

...

According to the Visual C++ reference [MSDN],

The environment block passed to main and wmain is a "frozen" copy of the current environment. If you subsequently change the environment via a call to _putenv or _wputenv, the current environment (as returned by getenv / _wgetenv and the _environ / _wenviron variable) will change, but the block pointed to by envp will not change.

...

Because envp no longer points to the current environment, this program has undefined unanticipated behavior.

Compliant Solution (Windows)

...

Using the envp environment pointer after the environment has been modified can result in undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV31-C

Low

Probable

Medium

P4

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
 Supported
Compass/ROSE

 

 

 

PRQA QA-C Include PagePRQA_VPRQA_V

0601 (E)

Fully implemented




Cppcheck Premium
24.9.0
premium-cert-env31-c

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4991, DF4992, DF4993


LDRA tool suite
Include Page
LDRA_V
LDRA_V
118 SFully Implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-ENV31-a

Do not rely on an environment pointer following an operation that may invalidate it

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule ENV31-CChecks for environment pointer invalidated by previous operation (rule fully covered)

Related Vulnerabilities

Search for vulnerabilities resulting , from the violation of this _putenv_srule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C
++ Secure Coding Standard
VOID ENV31-CPP. Do not rely on an environment pointer following an operation that may invalidate itPrior to 2018-01-12: CERT: Unspecified Relationship

Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, setenv
[ISO/IEC 9899:
2011
2024]J.5.
1
2, "Environment Arguments"
[MSDN]_environ, _wenviron,
getenv, _wgetenv,
_putenv_s, _wputenv_s

...


...

Image Modified Image Modified Image Modified