This is really just a bug in the standards. Even C11 keeps language that allows the buffer to be overwritten, but at the same time, it does not permit data races with other calls to getenv
, only with (implementation-defined) functions which modify the environment, so permitting this overwriting to take place seems contradictory.
On all real-world implementations, including glibc, getenv
returns the pointer to the copy of the string in the internal representation of the environment, and will never be invalidated except possibly if you call functions which modify the environment.