getenv returns tainted string content

Question

Coverity is claiming getenv is returning a tainted string and I've exhausted all of my ideas for return value checking. I looked at the other questions similar to mine, but none of their solutions worked for me.

I've tried checking the return for NULL, I've tried strdup, strncpy, memcpy and nothing seems to make the tainted string go away.

Here's the original code without the checks that didn't work:

void my_func()
{
   for(int port = 0; port < NUM_PORTS; port++) {
      download_id_table(port,getenv("ID_FILE")); //tainted string from getenv
   }
   download_info(getenv("INFO_FILE")); //tainted string from getenv

   //...
}

Any ideas on how I can get Coverity to believe it's no longer tainted?

Answer 1

I've experienced similar issues. The following worked for me:

1. Confirm that the environment variable is saved properly within your system (for windows that's in System>Advanced Settings>Environment Variables)
   
2. Restart the Text Editor/IDE/Jupyter Notebook you're using to run your code.

Answer 2

Try getting the size of your environment variable, then sanitize the input. Coverity is telling you that ID_FILE and INFO_FILE are external variables which could be under an attacker's control, so it could cause stack buffer overflow if the actual size of it is greater than the size of the C variable you're placing it into.

Do a check for the size of your variable and if it's >= to the expected length, then return with error. (>= to account for NULL character at the end of string)

Pseudo code

    #define MAX_STR_BUF_SIZE 16
    char * size_str;

    size_str = getenv("ID_FILE");
    printf("ID_FILE = %s\n", size_str);
    size = strtoul(size_str, NULL, 10);
    if (size >= MAX_STR_BUF_SIZE) return 1;