[clang] [clang][analyzer] Move PutenvStackArrayChecker out of alpha package. (PR #93980)
Balázs Kéri via cfe-commits
cfe-commits at lists.llvm.org
Mon Jun 3 00:30:53 PDT 2024
================
@@ -1179,6 +1179,41 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C)
strncpy(buf, "a", 1); // warn
}
+.. _security-putenv-stack-array:
+
+security.PutenvStackArray (C)
+"""""""""""""""""""""""""""""
+Finds calls to the ``putenv`` function which pass a pointer to a stack-allocated
+(automatic) array as the argument. Function ``putenv`` does not copy the passed
+string, only a pointer to the data is stored and this data can be read even by
+other threads. Content of a stack-allocated array is likely to be overwritten
+after returning from the parent function.
----------------
balazske wrote:
This text was not accurate, probably even better is "after exiting from the function" (the "parent function" was meant to be the parent of the allocated stack memory).
https://github.com/llvm/llvm-project/pull/93980
More information about the cfe-commits
mailing list