================
@@ -1179,6 +1179,54 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C)
strncpy(buf, "a", 1); // warn
}
+.. _security-putenv-with-auto:
+
+security.PutenvWithAuto
+"""""""""""""""""""""""
+Finds calls to the ``putenv`` function which pass a pointer to an automatic
variable as the argument.
+Function ``putenv`` does not copy the passed string, only a pointer to the
data is stored.
+Content of an automatic variable is likely to be overwritten after returning
from the parent function.
----------------
steakhal wrote:
Even though it's formally called `automatic storage duration`, I'd say that
`stack`-variable is more commonly understood among programmers.
Consequently, I'd suggest `security.PutenvWithStack` or
`security.PutenvWithStackVar` instead. I think it would be easier to discover
that way.
But I guess, this should be discussed separately.
https://github.com/llvm/llvm-project/pull/92424
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
