clang/test/Analysis/putenv-stack-array.c - llvm-project - Git at Google

 // RUN: %clang_analyze_cc1 \
 // RUN:  -analyzer-checker=security.PutenvStackArray \
 // RUN:  -verify %s

 #include "Inputs/system-header-simulator.h"
 void free(void *);
 void *malloc(size_t);
 int putenv(char *);
 int snprintf(char *, size_t, const char *, ...);

 int test_auto_var(const char *var) {
   char env[1024];
   (void)snprintf(env, sizeof(env), "TEST=%s", var);
   return putenv(env); // expected-warning{{The 'putenv' function should not be called with arrays that have automatic storage}}
 }

 int test_static_var(const char *var) {
   static char env[1024];
   (void)snprintf(env, sizeof(env), "TEST=%s", var);
   return putenv(env); // no-warning: static array is used
 }

 void test_heap_memory(const char *var) {
   const char *env_format = "TEST=%s";
   const size_t len = strlen(var) + strlen(env_format);
   char *env = (char *)malloc(len);
   if (env == NULL)
     return;
   if (putenv(env) != 0) // no-warning: env was dynamically allocated.
     free(env);
 }

 typedef struct {
   int A;
   char Env[1024];
 } Mem;

 int test_auto_var_struct() {
   Mem mem;
   return putenv(mem.Env); // expected-warning{{The 'putenv' function should not be called with}}
 }

 int test_auto_var_subarray() {
   char env[1024];
   return putenv(env + 100); // expected-warning{{The 'putenv' function should not be called with}}
 }

 int f_test_auto_var_call(char *env) {
   return putenv(env); // expected-warning{{The 'putenv' function should not be called with}}
 }

 int test_auto_var_call() {
   char env[1024];
   return f_test_auto_var_call(env);
 }

 int test_constant() {
   char *env = "TEST";
   return putenv(env); // no-warning: data is not on the stack
 }

 extern char *ext_env;
 int test_extern() {
   return putenv(ext_env); // no-warning: extern storage class.
 }

 void test_auto_var_reset() {
   char env[] = "NAME=value";
   putenv(env); // expected-warning{{The 'putenv' function should not be called with}}
   // ... (do something)
   // Even cases like this are likely a bug:
   // It looks like that if one string was passed to putenv,
   // it should not be deallocated at all, because when reading the
   // environment variable a pointer into this string is returned.
   // In this case, if another (or the same) thread reads variable "NAME"
   // at this point and does not copy the returned string, the data may
   // become invalid.
   putenv((char *)"NAME=anothervalue");
 }

 void f_main(char *env) {
   putenv(env); // no warning: string allocated in stack of 'main'
 }

 int main(int argc, char **argv) {
   char env[] = "NAME=value";
   putenv(env); // no warning: string allocated in stack of 'main'
   f_main(env);
   return 0;
 }
	// RUN: %clang_analyze_cc1 \
	// RUN: -analyzer-checker=security.PutenvStackArray \
	// RUN: -verify %s

	#include "Inputs/system-header-simulator.h"
	void free(void *);
	void *malloc(size_t);
	int putenv(char *);
	int snprintf(char , size_t, const char , ...);

	int test_auto_var(const char *var) {
	char env[1024];
	(void)snprintf(env, sizeof(env), "TEST=%s", var);
	return putenv(env); // expected-warning{{The 'putenv' function should not be called with arrays that have automatic storage}}
	}

	int test_static_var(const char *var) {
	static char env[1024];
	(void)snprintf(env, sizeof(env), "TEST=%s", var);
	return putenv(env); // no-warning: static array is used
	}

	void test_heap_memory(const char *var) {
	const char *env_format = "TEST=%s";
	const size_t len = strlen(var) + strlen(env_format);
	char env = (char )malloc(len);
	if (env == NULL)
	return;
	if (putenv(env) != 0) // no-warning: env was dynamically allocated.
	free(env);
	}

	typedef struct {
	int A;
	char Env[1024];
	} Mem;

	int test_auto_var_struct() {
	Mem mem;
	return putenv(mem.Env); // expected-warning{{The 'putenv' function should not be called with}}
	}

	int test_auto_var_subarray() {
	char env[1024];
	return putenv(env + 100); // expected-warning{{The 'putenv' function should not be called with}}
	}

	int f_test_auto_var_call(char *env) {
	return putenv(env); // expected-warning{{The 'putenv' function should not be called with}}
	}

	int test_auto_var_call() {
	char env[1024];
	return f_test_auto_var_call(env);
	}

	int test_constant() {
	char *env = "TEST";
	return putenv(env); // no-warning: data is not on the stack
	}

	extern char *ext_env;
	int test_extern() {
	return putenv(ext_env); // no-warning: extern storage class.
	}

	void test_auto_var_reset() {
	char env[] = "NAME=value";
	putenv(env); // expected-warning{{The 'putenv' function should not be called with}}
	// ... (do something)
	// Even cases like this are likely a bug:
	// It looks like that if one string was passed to putenv,
	// it should not be deallocated at all, because when reading the
	// environment variable a pointer into this string is returned.
	// In this case, if another (or the same) thread reads variable "NAME"
	// at this point and does not copy the returned string, the data may
	// become invalid.
	putenv((char *)"NAME=anothervalue");
	}

	void f_main(char *env) {
	putenv(env); // no warning: string allocated in stack of 'main'
	}

	int main(int argc, char **argv) {
	char env[] = "NAME=value";
	putenv(env); // no warning: string allocated in stack of 'main'
	f_main(env);
	return 0;
	}