You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 38 Next »

Do not make any assumptions about the size of environment variables, because an adversary might have full control over the environment. If the environment variable needs to be stored, then the length of the associated string should be calculated, and the storage dynamically allocated (see STR31-C. Guarantee that storage for strings has sufficient space for character data and the NULL terminator).

Noncompliant Code Example

This noncompliant code example copies the string returned by getenv() into a fixed-size buffer.

char copy[16];
const char *temp = getenv("TEST_ENV");
if (temp != NULL) {
  strcpy(copy, temp);
}

However, the string copied from temp may exceed the size of copy, leading to a buffer overflow.

Compliant Solution

In the following compliant solution, the strlen() function is used to calculate the size of the string, and the required space is dynamically allocated.

char *copy = NULL;
const char *temp = getenv("TEST_ENV");
if (temp != NULL) {
  copy = (char *)malloc(strlen(temp) + 1);
  if (copy != NULL) {
    strcpy(copy, temp);
  }
  else {
    /* Handle error condition */
  }
}

Risk Assessment

Making assumptions about the size of an environmental variable can result in a buffer overflow.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV01-C

high

likely

medium

P18

L1

Automated Detection

Compass/ROSE can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as ENV01-CPP. Do not make assumptions about the size of an environment variable.

References

[[ISO/IEC 9899:1999]] Section 7.20.4, "Communication with the environment"
[[MITRE 07]] CWE ID 119, "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer"
[[Open Group 04]] Chapter 8, "Environment Variables"
[[Viega 03]] Section 3.6, "Using Environment Variables Securely"


ENV00-C. Do not store the pointer to the string returned by getenv()      10. Environment (ENV)      

  • No labels