SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 82

changes.mady.by.user Steve Christey

Saved on

compared with

New Version 83

changes.mady.by.user Gina DeCola

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
Similarly, Section 7.14.1 paragraph 5 of C99 \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] states that if the signal occurs other than as the result of calling the {{abort}} or {{raise}} function, the behavior is [undefined|BB. Definitions#undefined behavior] if:

...the signal handler calls any function in the standard library other than the abort function, the _Exit function, or the signal function with the first argument equal to the signal number corresponding to the signal that caused the invocation of the handler.

Many systems define an implementation-specific list of asynchronous-safe functions. In general, I/O functions are not safe to invoke inside signal handlers. Check your system's asynchronous-safe functions before using them in signal handlers.

...

In this noncompliant code example, the program allocates a string on the heap , and uses it to log messages in a loop. The program also registers the signal handler int_handler() to handle the terminal interrupt signal SIGINT. The int_handler() function logs the last message, calls free(), and exits.

Code Block
bgColor#FFcccc
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>

enum { MAXLINE = 1024 };
char *info = NULL;

void log_message(void) {
  fprintf(stderr, info);
}

void handler(int signum) {
  log_message();
  free(info);
  info = NULL;
}

int main(void) {
  if (signal(SIGINT, handler) == SIG_ERR) {
    /* handleHandle error */
  }
  info = (char*)malloc(MAXLINE);
  if (info == NULL) {
    /* Handle Error */
  }

  while (1) {
    /* mainMain loop program code */

    log_message();

    /* moreMore program code */
  }
  return 0;
}

...

Wiki Markup
The following table from the the Open Group Base Specifications \[[Open Group 04|AA. C References#Open Group 04]\], defines a set of functions that are asynchronous-&mdash;signal-safe. Applications may invoke these functions, without restriction, from signal-catching functions.

*Asynchronous—signal-safe functions8

_Exit()

_exit()

abort()

accept()

access()

aio_error()

aio_return()

aio_suspend()

alarm()

bind()

cfgetispeed()

cfgetospeed()

cfsetispeed()

cfsetospeed()

chdir()

chmod()

chown()

clock_gettime()

close()

connect()

creat()

dup()

dup2()

execle()

execve()

fchmod()

fchown()

fcntl()

fdatasync()

fork()

fpathconf()

fstat()

fsync()

ftruncate()

getegid()

geteuid()

getgid()

getgroups()

getpeername()

getpgrp()

getpid()

getppid()

getsockname()

getsockopt()

getuid()

kill()

link()

listen()

lseek()

lstat()

mkdir()

mkfifo()

open()

pathconf()

pause()

pipe()

poll()

posix_trace_event()

pselect()

raise()

read()

readlink()

recv()

recvfrom()

recvmsg()

rename()

rmdir()

select()

sem_post()

send()

sendmsg()

sendto()

setgid()

setpgid()

setsid()

setsockopt()

setuid()

shutdown()

sigaction()

sigaddset()

sigdelset()

sigemptyset()

sigfillset()

sigismember()

sleep()

signal()

sigpause()

sigpending()

sigprocmask()

sigqueue()

sigset()

sigsuspend()

sockatmark()

socket()

socketpair()

stat()

symlink()

sysconf()

tcdrain()

tcflow()

tcflush()

tcgetattr()

tcgetpgrp()

tcsendbreak()

tcsetattr()

tcsetpgrp()

time()

timer_getoverrun()

timer_gettime()

timer_settime()

times()

umask()

uname()

unlink()

utime()

wait()

waitpid()

write()

 

 

...

Signal handlers should be as concise as possible, ideally unconditionally setting a flag and returning. They may also call the _Exit() function. Finally, they may call functions listed above as asynchronous-safeother functions provided that all implementations to which the code is ported guarantee that these functions are asynchronous—safe.

This example code achieves compliance with this rule by moving the final log message and call to free() outside the signal handler.

Code Block
bgColor#ccccff
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>

enum { MAXLINE = 1024 };
volatile sig_atomic_t eflag = 0;
char *info = NULL;

void log_message(void) {
  fprintf(stderr, info);
}

void handler(int signum) {
  eflag = 1;
}

int main(void) {
  if (signal(SIGINT, handler) == SIG_ERR) {
    /* handleHandle error */
  }
  info = (char*)malloc(MAXLINE);
  if (info == NULL) {
    /* Handle Errorerror */
  }

  while (!eflag) {
    /* mainMain loop program code */

    log_message();

    /* moreMore program code */
  }

  log_message();
  free(info);
  info = NULL;

  return 0;
}

...

Wiki Markup
For an overview of some software vulnerabilities resulting from improper signal handling, see Zalewski's paper on understanding, exploiting, and preventing signal-handling -related vulnerabilities \[[Zalewski 01|AA. C References#Zalewski 01]\]. [VU #834865|http://www.kb.cert.org/vuls/id/834865] describes a vulnerability resulting from a violation of this rule.

...