[clang] [clang][analyzer] Move checker alpha.security.cert.pos.34c into security.PutenvWithAuto (PR #92424)
Balazs Benics via cfe-commits
cfe-commits at lists.llvm.org
Fri May 17 05:20:29 PDT 2024
================
@@ -1179,6 +1179,54 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C)
strncpy(buf, "a", 1); // warn
}
+.. _security-putenv-with-auto:
+
+security.PutenvWithAuto
+"""""""""""""""""""""""
+Finds calls to the ``putenv`` function which pass a pointer to an automatic variable as the argument.
+Function ``putenv`` does not copy the passed string, only a pointer to the data is stored.
+Content of an automatic variable is likely to be overwritten after returning from the parent function.
----------------
steakhal wrote:
Even though it's formally called `automatic storage duration`, I'd say that `stack`-variable is more commonly understood among programmers.
Consequently, I'd suggest `security.PutenvWithStack` or `security.PutenvWithStackVar` instead. I think it would be easier to discover that way.
But I guess, this should be discussed separately.
https://github.com/llvm/llvm-project/pull/92424
More information about the cfe-commits
mailing list