You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Information determined prior to program startup from the hosted environment is supplied to the program. This information includes command line arguments and environmental variables.

Command line arguments are passed as arguments to main(). In the following definition for main() the array members argv[0] through argv[argc-1] inclusive contain pointers to null-terminated byte strings.

int main(int argc, char *argv[]) { /* ... */ }

If the value of argc is greater than zero, the string pointed to by argv[0] represents the program name. If the value of argc is greater than one, the strings pointed to by argv[1] through argv[argc-1] represent the program parameters.

The getenv() function searches an environment list, provided by the host environment, for a string that matches the string pointed to by name. The set of environment names and the method for altering the environment list are implementation-defined.

Non-Compliant Code Example

The contents of argv[0] can be manipulated by an attacker to cause a buffer overflow in the following program:

int main(int argc, char *argv[]) {
  ...
  char prog_name[128];
  strcpy(prog_name, argv[0]);
  ...
}

Compliant Solution

The strlen() function should be used to determine the length of the strings referenced by argv[0] through argv[argc-1] so that adequate memory can be dynamically allocated:

int main(int argc, char *argv[]) {
  ...
  char * prog_name = (char *)malloc(strlen(argv[0])+1);
  if (prog_name != NULL) {
    strcpy(prog_name, argv[1]);
  }
  else {
    /* Couldn't get the memory - recover */
  }
  ...
}

Non-Compliant Code Example

Reading environment variables into fixed length arrays can also result in a buffer overflow.

char buff[256];
strcpy(buff, (char *)getenv("EDITOR"));

Compliant Solution

The strlen() function should be used to determine the length of environmental variables so that adequate memory can be dynamically allocated:

char *editor;
char *buff;

editor = (char *)getenv("EDITOR");
if (editor) {
  buff = (char *)malloc(strlen(editor)+1);
  strcpy(buff, editor);
}

Priority: P18 Level: L1

Failure to properly allocate sufficient space when copying null-terminated byte strings can result in buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process by an attacker.

Component

Value

Severity

3 (medium)

Likelihood

3 (probable)

Remediation cost

2 (medium)

References

  • ISO/IEC 9899-1999 Sections 7.1.1 Definitions of terms, Section 7.21 String handling <string.h>, 5.1.2.2.1 Program startup, 7.20.4.5 The getenv function
  • Seacord 05 Chapter 2 Strings
  • No labels