BADFUNC.PUTENV : putenvの使用

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

BADFUNC.PUTENV : putenvの使用

要旨

A use of putenv(), which can cause problems when called with a pointer to a buffer with automatic storage duration. It is usually preferable to use setenv(), which does not have these issues.

プロパティ

MisraC2025

MisraC2025:18.6

The address of an object with automatic or thread-local storage shall not be copied to another object that persists after the first object has ceased to exist

MisraC2023

MisraC2023:18.6

The address of an object with automatic or thread-local storage shall not be copied to another object that persists after the first object has ceased to exist

Misra2012

Misra2012:18.6

The address of an object with automatic or thread-local storage shall not be copied to another object that persists after the first object has ceased to exist

Misra2004

Misra2004:17.6

The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist

AUTOSARC++14

AUTOSARC++14:M7-5-2

The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist.

MisraC++2008

MisraC++2008:7-5-2

The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist.

MisraC++2023

MisraC++2023:6.8.3

An assignment operator shall not assign the address of an object with automatic storage duration to an object with a greater lifetime

CWE

CWE:676

Use of Potentially Dangerous Function

CWE:758

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

TS17961

TS17961:5.15-addrescape

Escaping of the address of an automatic object

CERT-C

CERT-C:POS34-C

Do not call putenv() with a pointer to an automatic variable as the argument

Insecure design

Insecure Design

#include <stdlib.h>
#include <string.h>

int set_with_putenv(char *val){
    char myarg[35];
    if (!val || strlen(val)>20){ return -1;}
    return putenv(strcat(strcpy(myarg, "MY_ENV_VAR="), val)); /* 'Use of putenv' warning issued here */
                                                              /* The string pointed to by strcat(strcpy(myarg, "MY_ENV_VAR="), val)
                                                               * has been made part of the environment, but that memory may be overwritten after 
                                                               * control returns from set_with_putenv()
                                                               */ 
}

int set_with_setenv(char *val){
    if (!val || strlen(val)>20){ return -1;}
    return setenv("MY_ENV_VAR", val, 1);                                 /* You can set environment variables with setenv()
                                                                          * to avoid problems with putenv(). */
}

関連のある設定ファイルパラメータ

このクラスは一般テンプレート設定ファイルで BAD_FUNCTION_* ルールセットによって実装されています。

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。