Use of putenv() with a pointer to a stack variable

Description

The software calls putenv() with a variable that has a short lifetime, such as a pointer to an automatic variable allocated on the stack. The correct behavior is to call putenv() with a static/global string.

Rationale

The software calls putenv() with a variable that has a short lifetime, such as a pointer to an automatic variable allocated on the stack. The correct behavior is to call putenv() with a static/global string.

The following code illustrates a vulnerable pattern detected by this rule:

int putName_bad()
{
	char name[STR_MAX];

	fillInName(name);

	// VULNERABLE: Use of putenv() with a pointer to a stack variable
	putenv(name);

	return 0;
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-562
OWASP Top 10 2021 - A04 : Insecure Design.
https://cwe.mitre.org/data/definitions/686
https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
CERTC-POS34-C
CERTC-DCL30-C