...
When FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char) applies, callers shall determine the success or failure of the functions in this table as follows
1 By calling ferror() and feof()2 By calling ferror()
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern void log_message(const char *);
void f(int i, int width, int prec) {
char buffer[20];
char *buf = buffer;
int n = sizeof(buffer);
const char fmt[] = "i = %*.*i";
n = snprintf(buf, n, fmt, width, prec, i);
if (n < 0) {
/* Handle snprintf() error */
strcpy(buffer, "unknown error");
goto write_log;
}
if (n < sizeof(buffer)) {
goto write_log;
}
buf = (char *)malloc(n + 1);
if (NULL == buf) {
/* Handle malloc() error */
strcpy(buffer, "unknown error");
goto write_log;
}
n = snprintf(buf, n, fmt, width, prec, i);
if (n < 0) {
/* Handle snprintf() error */
strcpy(buffer, "unknown error");
}
write_log:
log_message(buf);
if (buf != buffer) {
free(buf);
}
}
|
Exceptions
ERR33-EX0: The exception from EXP12-C. Do not ignore values returned by functions still applies. If the return value is inconsequential or if any errors can be safely ignored, such as for functions called because of their side effects, the function should be explicitly cast to void to signify programmer intent.ERR33-EX1: Ignore the return value of It is acceptable to ignore the return value of a function that cannot fail, or a function whose return value cannot signify that is inconsequential, or if an error condition need not be diagnosed. For example, strcpy() is one such function.The function's results should be explicitly cast to void to signify programmer intent. Return values from the following functions do not need to be checked because their historical use has overwhelmingly omitted error checking, and the consequences are not relevant to security.
Function | Successful Return | Error Return | Successful Return | Error Return | |
|---|---|---|---|---|---|
| Character written |
| |||
| Wide character written |
| |||
| Nonnegative |
| |||
| Number of characters (nonnegative) | Negative | |||
| Number of wide characters (nonnegative) | Negativeputchar | |||
kill_dependency() | The input parameter | NA | |||
memcpy(), wmemcpy() | Character written |
| |||
| Nonnegative |
| |||
| Wide character written |
| |||
| Number of characters (nonnegative) | Negative | |||
| Number of wide characters (nonnegative) | Negative | |||
| The destination input parameter | NA | ||||
memmove(), wmemmove() | The destination input parameter | NA | |||
strcpy(), wcscpy() | The destination input parameter | NA | |||
strncpy(), wcsncpy() | The destination input parameter | NA | |||
strcat(), wcscat() | The destination input parameter | NA | |||
strncat(), wcsncat() | The destination input parameter | NA | |||
memset(), wmemset() | The destination input parameter | NA |
| Number of wide characters (nonnegative) | Negative
Risk Assessment
Failing to detect error conditions can lead to unpredictable results, including abnormal program termination and denial-of-service attacks or, in some situations, could even allow an attacker to run arbitrary code.
...
...