You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 60 Next »

Do not make any assumptions about the size of environment variables because an adversary might have full control over the environment. If the environment variable needs to be stored, the length of the associated string should be calculated and the storage dynamically allocated. (See STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator.)

Noncompliant Code Example

This noncompliant code example copies the string returned by getenv() into a fixed-size buffer:

void f() {
  char path[PATH_MAX]; /* Requires PATH_MAX to be defined */
  strcpy(path, getenv("PATH"));
  /* Use path */
}

Even if your platform assumes that $PATH is defined, defines PATH_MAX, and enforces that paths not have more than PATH_MAX characters, the $PATH environment variable still is not required to have less than PATH_MAX chars. And if it has more than PATH_MAX chars, a buffer overflow will result. Also, if $PATH is not defined, then strcpy() will attempt to dereference a null pointer.

Compliant Solution

In this compliant solution, the strlen() function is used to calculate the size of the string, and the required space is dynamically allocated:

void f() {
  char *path = NULL;
  /* Avoid assuming $PATH is defined or has limited length */
  const char *temp = getenv("PATH");
  if (temp != NULL) {
    path = (char*) malloc(strlen(temp) + 1);
    if (path == NULL) {
      /* Handle error condition */
    } else {
      strcpy(path, temp);
    }
    /* Use path */
  }
}

Risk Assessment

Making assumptions about the size of an environmental variable can result in a buffer overflow.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV01-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar8.1p0

LANG.MEM.BO

LANG.MEM.TO

(general)

Buffer Overrun

Type Overrun

CodeSonar's taint analysis includes handling for taint introduced through the environment.

Compass/ROSE

 

 

Can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Coding StandardVOID ENV01-CPP. Do not make assumptions about the size of an environment variable
MITRE CWECWE-119, Failure to constrain operations within the bounds of an allocated memory buffer

Bibliography

[IEEE Std 1003.1:2013]Chapter 8, "Environment Variables"
[Viega 2003]Section 3.6, "Using Environment Variables Securely"

 


  • No labels