// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=security.PutenvStackArray \
// RUN: -verify %s
#include "Inputs/system-header-simulator.h"
void free(void *);
void *malloc(size_t);
int putenv(char *);
int snprintf(char *, size_t, const char *, ...);
int test_auto_var(const char *var) {
char env[1024];
(void)snprintf(env, sizeof(env), "TEST=%s", var);
return putenv(env); // expected-warning{{The 'putenv' function should not be called with arrays that have automatic storage}}
}
int test_static_var(const char *var) {
static char env[1024];
(void)snprintf(env, sizeof(env), "TEST=%s", var);
return putenv(env); // no-warning: static array is used
}
void test_heap_memory(const char *var) {
const char *env_format = "TEST=%s";
const size_t len = strlen(var) + strlen(env_format);
char *env = (char *)malloc(len);
if (env == NULL)
return;
if (putenv(env) != 0) // no-warning: env was dynamically allocated.
free(env);
}
typedef struct {
int A;
char Env[1024];
} Mem;
int test_auto_var_struct() {
Mem mem;
return putenv(mem.Env); // expected-warning{{The 'putenv' function should not be called with}}
}
int test_auto_var_subarray() {
char env[1024];
return putenv(env + 100); // expected-warning{{The 'putenv' function should not be called with}}
}
int f_test_auto_var_call(char *env) {
return putenv(env); // expected-warning{{The 'putenv' function should not be called with}}
}
int test_auto_var_call() {
char env[1024];
return f_test_auto_var_call(env);
}
int test_constant() {
char *env = "TEST";
return putenv(env); // no-warning: data is not on the stack
}
extern char *ext_env;
int test_extern() {
return putenv(ext_env); // no-warning: extern storage class.
}
void test_auto_var_reset() {
char env[] = "NAME=value";
putenv(env); // expected-warning{{The 'putenv' function should not be called with}}
// ... (do something)
// Even cases like this are likely a bug:
// It looks like that if one string was passed to putenv,
// it should not be deallocated at all, because when reading the
// environment variable a pointer into this string is returned.
// In this case, if another (or the same) thread reads variable "NAME"
// at this point and does not copy the returned string, the data may
// become invalid.
putenv((char *)"NAME=anothervalue");
}
void f_main(char *env) {
putenv(env); // no warning: string allocated in stack of 'main'
}
int main(int argc, char **argv) {
char env[] = "NAME=value";
putenv(env); // no warning: string allocated in stack of 'main'
f_main(env);
return 0;
}
Codebase Browser
llvm