Most functions defined by the C11 C Standard, Annex K Bounds-checking interfaces, include, as part of their specification, a list of runtime constraints, violations of which can be consistently handled at runtime. Library implementations must verify that the runtime constraints for a function are not violated by the program. If a runtime constraint is violated, the runtime-constraint handler currently registered with set_constraint_handler_s() is called.
...
The runtime constraint handler might not return. If the handler does return, the library function whose runtime constraint was violated shall return some indication of failure as given by the returns section in the function's specification.
These runtime-constraint handlers mitigate some of the potential insecurity caused by in-band error indicators. (See ERR02-C. Avoid in-band error indicators.)
...
The result is inconsistent behavior across implementations and possible termination of the program instead of a graceful exit. The implementation-defined default handler performs a default action consistent with a particular implementation. However, this may not be the desired action, and because the behavior is implementation-defined, it is not guaranteed to be the same on all implementations.
It is therefore prudent to explicitly install a runtime-constraint handler to ensure consistent behavior across implementations.
...
This compliant solution explicitly installs a runtime-constraint handler by invoking the set_constraint_handler_s() function. It would typically be performed during system initialization and before any functions that used the mechanism were invoked.
| Code Block | ||||
|---|---|---|---|---|
| ||||
constraint_handler_t handle_errors(void) {
/* Handle runtime -constraint error */
}
/*...*/
set_constraint_handler_s(handle_errors);
/*...*/
/* Returns zero on success */
errno_t function(char *dst1, size_t size){
char src1[100] = "hello";
if (strcpy_s(dst1, size, src1) != 0) {
return -1;
}
/* ... */
return 0;
}
|
...
Although the ISO/IEC TR 24731-1 functions were created by Microsoft, currently available versions of Microsoft Visual Studio do not support the same interface defined by the technical report for installing runtime-constraint handlers. Visual Studio calls these functions "invalid parameter handlers," and they are installed by calling the _set_invalid_parameter_handler() function. The signature of the handler is also significantly different.
...
The TR24731-1 standard indicates that if no constraint handler is set, a default one executes when errors arise. The default handler is implementation-defined and "may cause the program to exit or abort." It is important to understand the behavior of the default handler for all implementations being used and replace it if the behavior is inappropriate for the application.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
| ERR03-CPP. Use runtime-constraint handlers when calling functions defined by TR24731-1 | |
| ISO/IEC TR 24731-1:2007 | Section 6.1.4, "Runtime- |
...
| Constraint Violations" Section 6.6.1, "Runtime- |
...
| Constraint Handling" |
Bibliography
...