Tainted string in C

Question

I\'m running Coverity tool in my file operation function and getting the following error.

As you can see below, I\'m using an snprintf() before passing this variable

Answer 1

Try the following:

char* id_str = getenv("ID");
if (id_str) {
   id_str = strdup(id_str);
   id = atoi(id_str);
   free( id_str );
}

The fn string passed to fopen is tainted by an environment variable. Using strdup may act as "sanitizing".