sqc 0.4.13

Software Code Quality - CERT C compliance checker
1
2
3
4
5
6
7
8
9
10
11
12

/*
 * Rule: ERR07-C (CWE-114)
 * Status: FAIL - Environment variable flows to dlopen
 */

void *dlopen(const char *filename, int flags);
char *getenv(const char *name);

void f(void) {
    char *lib_path = getenv("PLUGIN_PATH");  /* Taint source */
    void *handle = dlopen(lib_path, 1);      /* VIOLATION: tainted input to dlopen */
}