Do not make any assumptions about the size of environment variables, as an adversary could have full control over the environment. Calculate the length of the strings yourself, and dynamically allocate memory for your copies [STR31-C].
Non-Compliant Code Example
This non-compliant code example copies the string returned by getenv() into a fixed size buffer. This can result in a buffer overflow.
char *temp;
char copy[16];
temp = getenv("TEST_ENV");
if (temp != NULL) {
strcpy(buff, temp);
}
Compliant Solution
Use the strlen() function to calculate the size of the string and dynamically allocate the required space.
char *temp;
char *copy = NULL;
if ((temp = getenv("TEST_ENV")) != NULL) {
copy = malloc(strlen(temp) + 1);
if (copy != NULL) {
strcpy(copy, temp);
}
else {
/* handle error condition */
}
}
Risk Assessment
This could result in a buffer overflow attack.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ENV01-A |
3 (high) |
1 (unlikely) |
3 (low) |
P9 |
L2 |
References
[[ISO/IEC 9899-1999:TC2]] Section 7.20.4, "Communication with the environment"
[[Open Group 04]] Chapter 8, "Environment Variables"
[[Viega 03]] Section 3.6, "Using Environment Variables Securely"