================ @@ -1179,6 +1179,54 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C) strncpy(buf, "a", 1); // warn } +.. _security-putenv-with-auto: + +security.PutenvWithAuto +""""""""""""""""""""""" +Finds calls to the ``putenv`` function which pass a pointer to an automatic variable as the argument. +Function ``putenv`` does not copy the passed string, only a pointer to the data is stored. +Content of an automatic variable is likely to be overwritten after returning from the parent function. ---------------- steakhal wrote:
Even though it's formally called `automatic storage duration`, I'd say that `stack`-variable is more commonly understood among programmers. Consequently, I'd suggest `security.PutenvWithStack` or `security.PutenvWithStackVar` instead. I think it would be easier to discover that way. But I guess, this should be discussed separately. https://github.com/llvm/llvm-project/pull/92424 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits