PRB: _searchenv() Does Not Check the Buffer Size (129479)
The information in this article applies to:
- The C Run-Time (CRT), when used with:
- Microsoft Visual C++, 32-bit Editions 2.1
- Microsoft Visual C++, 32-bit Editions 4.0
- Microsoft Visual C++, 32-bit Editions 5.0
- Microsoft Visual C++, 32-bit Editions 6.0
This article was previously published under Q129479 SYMPTOMS
If _searchenv() is called with a pathname buffer (third parameter) that has
a length shorter than the length of the fully qualified path name returned,
the function will overwrite the buffer.
CAUSE
As the documentation states, "You must ensure that there is sufficient
space for the constructed path." A number of CRT routines, including
_searchenv(), do not take a size parameter and cannot check to see if the
buffer passed is big enough to hold the data. It is up to the programmer to
make sure the buffer is large enough for the data.
RESOLUTION
To avoid potential access violations that occur because of the overwrite,
do one of the following:
- Before calling _searchenv(), check to see that the sum of the length
of the filename and the length of any directory in the environment
variable to be used (for example, the PATH) does not exceed _MAX_PATH.
If it does, give an error message to the user.
-or-
- Increase the length of buffer (pathname) passed to _searchenv() so
that it is at least as big as the sum of the length of the filename
and the length of the longest directory in the environment variable
to be used.
STATUS
This behavior is by design.
| Modification Type: | Major | Last Reviewed: | 12/9/2003 |
|---|
| Keywords: | kbCRT kbprb KB129479 |
|---|
|