SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 5

changes.mady.by.user Shaun Hedrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

TR 24731-1 defines a new type of errno_t which is type int in <errno.h> and elsewhere. Many of the functions defined in TR 24731-1 return values of this type. As a matter of programming style, errno_t should be used as the type of something that deals only with the values that might be found in errno. For example, a function which returns the value of errno should be declared as having the return type errno_t.

Non-Compliant Code Example

This non-compliant code example illustrates a function called opener() that is declared as returning a value of type int. The function, however, uses this return value to indicate the return status of the function by returning values of errno. Consequently, the meaning of the return value is not as clear as it could be.

Code Block
bgColor#FFCCCC
int opener(FILE* file, int *width, int *height, int *data_offset) {
  int file_w;
  int file_h;
  int file_o;
  int offset = 0;

  if (file == NULL) { return -1; }

  if (fscanf(file, "%i %i %i", &file_w, &file_h, &file_o)  != 3) { return -1; }

  if (fsetpos(file, &offset) != 0) { return -1; }

  *width = file_w;
  *height = file_h;
  *data_offset = file_o;

  return 0; 
}

Compliant Solution

In this compliant solution, the opener() function returns a value of type errno_t providing a clear indication that this returns a values that might be found in errno.

Code Block
bgColor#ccccff
errno_t opener(FILE* file, int *width, int *height, int *data_offset) {
  int file_w;
  int file_h;
  int file_o;
  int rc;
  fpos_t offset;

  if (file == NULL) { return EINVAL; }
  rc = fgetpos(file, &offset);
  if (rc != 0) { return (errno_t)rc; }
  if (fscanf(file, "%i %i %i", &file_w, &file_h, &file_o)  != 3) { return EIO; }
  rc = fsetpos(file, &offset);
  if (rc != 0) { return -1; }

  *width = file_w;
  *height = file_h;
  *data_offset = file_o;

  return 0; 
}

Risk Assessment

The misuse of fsetpos() could move a file stream read to a undesired location in the file. If this location held input from user the user would then gain control of the variables being read from the file.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL08 DCL09-A

1 (low)

1 (low)

2 (medium)

P2

L3

References

Wiki Markup
\[[ISO/IEC TR 24731-2006|AA. C References#ISO/IEC TR 24731-2006]\]
\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 6.7.5.3, "Function declarators (including prototypes)"