Use of stack variable with putenv
Description
The software calls putenv() with a variable that has a short lifetime, such as a pointer to an automatic variable allocated on the stack. This can lead to undefined behavior when the environment variable is accessed after the stack variable has gone out of scope.
Examples
Insecure Code
c
char buf[10]; putenv(buf);Secure Code
c
putenv("STATIC_STRING");Remediation
Call putenv() with a static or global string instead of a stack variable.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0269 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-562 |
| Confidence | LOW |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | putenv, stack variable |
| OWASP | N/A |
References
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
- https://cwe.mitre.org/data/definitions/562
- https://cwe.mitre.org/data/definitions/686