PRB: _searchenv() Does Not Check the Buffer Size

• The C Run-time Library (CRT) included with: - Microsoft Visual C++, 32-bit Edition, version 2.1 4.0, 5.0 on the

       following platform:
       - x86
  

SYMPTOMS

If _searchenv() is called with a pathname buffer (third parameter) that has a length shorter than the length of the fully qualified path name returned, the function will overwrite the buffer.

CAUSE

As the documentation states, "You must ensure that there is sufficient space for the constructed path." A number of CRT routines, including _searchenv(), do not take a size parameter and cannot check to see if the buffer passed is big enough to hold the data. It is up to the programmer to make sure the buffer is large enough for the data.

RESOLUTION

To avoid potential access violations that occur because of the overwrite, do one of the following:

• Before calling _searchenv(), check to see that the sum of the length of the filename and the length of any directory in the environment variable to be used (for example, the PATH) does not exceed _MAX_PATH. If it does, give an error message to the user.

  -or-

• Increase the length of buffer (pathname) passed to _searchenv() so that it is at least as big as the sum of the length of the filename and the length of the longest directory in the environment variable to be used.

STATUS

This behavior is by design.

Keywords          : CRTIss
Version           : 2.1 4.0 5.0
Platform          : NT WINDOWS
Issue type        : kbprb