Page History

All standard library functions, including inputI/output O functions and memory allocation functions, return either a valid value or a value of the correct return type that indicates an error (for example, −1 or a null pointer). Assuming that all calls to such functions will succeed and failing to check the return value for an indication of an error is a dangerous practice that may lead to unexpected or undefined behavior when an error occurs. It is essential that programs detect and appropriately handle all errors in accordance with an error-handling policy, as discussed in ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy.

...

Function	Successful Return	Error Return
`aligned_alloc()`	Pointer to space	`NULL`
`asctime_s()`	`0`	Nonzero
`at_quick_exit()`	`0`	Nonzero
`atexit()`	`0`	Nonzero
`bsearch()`	Pointer to matching element	`NULL`
`bsearch_s()`	Pointer to matching element	`NULL`
`btowc()`	Converted wide character	`WEOF`
`c16rtomb()`	Number of bytes	`(size_t)(-1)`
`c32rtomb()`	Number of bytes	`(size_t)(-1)`
`calloc()`	Pointer to space	`NULL`
`clock()`	Processor time	`(clock_t)(-1)`
`cnd_broadcast()`	`thrd_success`	`thrd_error`
`cnd_init()`	`thrd_success`	`thrd_nomem or thrd_error`
`cnd_signal()`	`thrd_success`	`thrd_error`
`cnd_timedwait()`	`thrd_success`	`thrd_timedout or thrd_error`
`cnd_wait()`	`thrd_success`	`thrd_error`
`ctime_s()`	`0`	Nonzero
`fclose()`	`0`	`EOF` (negative)
`fflush()`	`0`	`EOF` (negative)
`fgetc()`	Character read	`EOF`²¹
`fgetpos()`	`0`	Nonzero
`fgets()`	Pointer to string	`NULL`
`fgetwc()`	Wide character read	`WEOF`²¹
`fopen()`	Pointer to stream	`NULL`
`fopen_s()`	`0`	Nonzero
`fprintf()`	Number of characters (nonnegative)	Negative
`fprintf_s()`	Number of characters (nonnegative)	Negative
`fputc()`	Character written	`EOF`¹²
`fputs()`	Nonnegative	`EOF` (negative)
`fputws()`	Nonnegative	`EOF` (negative)
`fread()`	Elements read	Elements read
`freopen()`	Pointer to stream	`NULL`
`freopen_s()`	`0`	Nonzero
`fscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`fscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`fseek()`	`0`	Nonzero
`fsetpos()`	`0`	Nonzero
`ftell()`	File position	`−1L`
`fwprintf()`	Number of wide characters (nonnegative)	Negative
`fwprintf_s()`	Number of wide characters (nonnegative)	Negative
`fwrite()`	Elements written	Elements written
`fwscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`fwscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`getc()`	Character read	`EOF`²¹
`getchar()`	Character read	`EOF`²¹
`getenv()`	Pointer to string	`NULL`
`getenv_s()`	Pointer to string	`NULL`
`gets_s()`	Pointer to string	`NULL`
`getwc()`	Wide character read	`WEOF`
`getwchar()`	Wide character read	`WEOF`
`gmtime()`	Pointer to broken-down time	`NULL`
`gmtime_s()`	Pointer to broken-down time	`NULL`
`localtime()`	Pointer to broken-down time	`NULL`
`localtime_s()`	Pointer to broken-down time	`NULL`
`malloc()`	Pointer to space	`NULL`
`mblen(), s != NULL`	Number of bytes	`−1`
`mbrlen(), s != NULL`	Number of bytes or status	`(size_t)(-1)`
`mbrtoc16()`	Number of bytes or status	`(size_t)(-1), errno == EILSEQ`
`mbrtoc32()`	Number of bytes or status	`(size_t)(-1), errno == EILSEQ`
`mbrtowc(), s != NULL`	Number of bytes or status	`(size_t)(-1), errno == EILSEQ`
`mbsrtowcs()`	Number of non-null elements	`(size_t)(-1), errno == EILSEQ`
`mbsrtowcs_s()`	`0`	Nonzero
`mbstowcs()`	Number of non-null elements	`(size_t)(-1)`
`mbstowcs_s()`	`0`	Nonzero
`mbtowc(), s != NULL`	Number of bytes	`−1`
`memchr()`	Pointer to located character	`NULL`
`mktime()`	Calendar time	`(time_t)(-1)`
`mtx_init()`	`thrd_success`	`thrd_error`
`mtx_lock()`	`thrd_success`	`thrd_error`
`mtx_timedlock()`	`thrd_success`	`thrd_timedout or thrd_error`
`mtx_trylock()`	`thrd_success`	`thrd_busy or thrd_error`
`mtx_unlock()`	`thrd_success`	`thrd_error`
`printf_s()`	Number of characters (nonnegative)	Negative
`putc()`	Character written	`EOF`¹²
`putwc()`	Wide character written	`WEOF`
`raise()`	`0`	Nonzero
`realloc()`	Pointer to space	`NULL`
`remove()`	`0`	Nonzero
`rename()`	`0`	Nonzero
`setlocale()`	Pointer to string	`NULL`
`setvbuf()`	`0`	Nonzero
`scanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`scanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`signal()`	Pointer to previous function	`SIG_ERR, errno > 0`
`snprintf()`	Number of characters that would be written (nonnegative)	Negative
`snprintf_s()`	Number of characters that would be written (nonnegative)	Negative
`sprintf()`	Number of non-null characters written	Negative
`sprintf_s()`	Number of non-null characters written	Negative
`sscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`sscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`strchr()`	Pointer to located character	`NULL`
`strerror_s()`	`0`	Nonzero
`strftime()`	Number of non-null characters	`0`
`strpbrk()`	Pointer to located character	`NULL`
`strrchr()`	Pointer to located character	`NULL`
`strstr()`	Pointer to located string	`NULL`
`strtod()`	Converted value	`0, errno == ERANGE`
`strtof()`	Converted value	`0, errno == ERANGE`
`strtoimax()`	Converted value	`INTMAX_MAX or INTMAX_MIN, errno == ERANGE`
`strtok()`	Pointer to first character of a token	`NULL`
`strtok_s()`	Pointer to first character of a token	`NULL`
`strtol()`	Converted value	`LONG_MAX or LONG_MIN, errno == ERANGE`
`strtold()`	Converted value	`0, errno == ERANGE`
`strtoll()`	Converted value	`LLONG_MAX or LLONG_MIN, errno == ERANGE`
`strtoumax()`	Converted value	`UINTMAX_MAX, errno == ERANGE`
`strtoul()`	Converted value	`ULONG_MAX, errno == ERANGE`
`strtoull()`	Converted value	`ULLONG_MAX, errno == ERANGE`
`strxfrm()`	Length of transformed string	`>= n`
`swprintf()`	Number of non-null wide characters	Negative
`swprintf_s()`	Number of non-null wide characters	Negative
`swscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`swscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`thrd_create()`	`thrd_success`	`thrd_nomem or thrd_error`
`thrd_detach()`	`thrd_success`	`thrd_error`
`thrd_join()`	`thrd_success`	`thrd_error`
`thrd_sleep()`	`0`	`negative`
`time()`	Calendar time	`(time_t)(-1)`
`timespec_get()`	Base	`0`
`tmpfile()`	Pointer to stream	`NULL`
`tmpfile_s()`	`0`	Nonzero
`tmpnam()`	Non-null pointer	`NULL`
`tmpnam_s()`	`0`	Nonzero
`tss_create()`	`thrd_success`	`thrd_error`
`tss_get()`	Value of thread-specific storage	`0`
`tss_set()`	`thrd_success`	`thrd_error`
`ungetc()`	Character pushed back	`EOF (negative; see below)`
`ungetwc()`	Character pushed back	`WEOF (negative)`
`vfprintf()`	Number of characters (nonnegative)	Negative
`vfprintf_s()`	Number of characters (nonnegative)	Negative
`vfscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`vfscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`vfwprintf()`	Number of wide characters (nonnegative)	Negative
`vfwprintf_s()`	Number of wide characters (nonnegative)	Negative
`vfwscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`vfwscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`vprintf_s()`	Number of characters (nonnegative)	Negative
`vscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`vscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`vsnprintf()`	Number of characters that would be written (nonnegative)	Negative
`vsnprintf_s()`	Number of characters that would be written (nonnegative)	Negative
`vsprintf()`	Number of non-null characters (nonnegative)	Negative
`vsprintf_s()`	Number of non-null characters (nonnegative)	Negative
`vsscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`vsscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`vswprintf()`	Number of non-null wide characters	Negative
`vswprintf_s()`	Number of non-null wide characters	Negative
`vswscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`vswscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`vwprintf_s()`	Number of wide characters (nonnegative)	Negative
`vwscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`vwscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)
`wcrtomb()`	Number of bytes stored	`(size_t)(-1)`
`wcschr()`	Pointer to located wide character	`NULL`
`wcsftime()`	Number of non-null wide characters	`0`
`wcspbrk()`	Pointer to located wide character	`NULL`
`wcsrchr()`	Pointer to located wide character	`NULL`
`wcsrtombs()`	Number of non-null bytes	`(size_t)(-1), errno == EILSEQ`
`wcsrtombs_s()`	`0`	Nonzero
`wcsstr()`	Pointer to located wide string	`NULL`
`wcstod()`	Converted value	`0, errno == ERANGE`
`wcstof()`	Converted value	`0, errno == ERANGE`
`wcstoimax()`	Converted value	`INTMAX_MAX or INTMAX_MIN, errno == ERANGE`
`wcstok()`	Pointer to first wide character of a token	`NULL`
`wcstok_s()`	Pointer to first wide character of a token	`NULL`
`wcstol()`	Converted value	`LONG_MAX or LONG_MIN, errno == ERANGE`
`wcstold()`	Converted value	`0, errno == ERANGE`
`wcstoll()`	Converted value	`LLONG_MAX or LLONG_MIN, errno == ERANGE`
`wcstombs()`	Number of non-null bytes	`(size_t)(-1)`
`wcstombs_s()`	`0`	Nonzero
`wcstoumax()`	Converted value	`UINTMAX_MAX, errno == ERANGE`
`wcstoul()`	Converted value	`ULONG_MAX, errno == ERANGE`
`wcstoull()`	Converted value	`ULLONG_MAX, errno == ERANGE`
`wcsxfrm()`	Length of transformed wide string	`>= n`
`wctob()`	Converted character	`EOF`
`wctomb(), s != NULL`	Number of bytes stored	`−1`
`wctomb_s(), s != NULL`	Number of bytes stored	`−1`
`wctrans()`	Valid argument to `towctrans`	`0`
`wctype()`	Valid argument to `iswctype`	`0`
`wmemchr()`	Pointer to located wide character	`NULL`
`wprintf_s()`	Number of wide characters (nonnegative)	Negative
`wscanf()`	Number of conversions (nonnegative)	`EOF` (negative)
`wscanf_s()`	Number of conversions (nonnegative)	`EOF` (negative)

When FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char) applies, callers shall determine the success or failure of the functions in this table as follows:

Anchor
use_feof_or_ferror
use_feof_or_ferror
By calling ferror and feof
Anchor
use_ferror
use_ferror
By calling ferror

Anchor

	use_feof_or_ferror
	use_feof_or_ferror

...

AnchorungetcungetcThe ungetc() function does not set the error indicator even when it fails, so it is not possible to check for errors reliably unless it is known that the argument is not equal to EOF. The C Standard [ISO/IEC 9899:2011] states that "one character of pushback is guaranteed," so this should not be an issue if, at most, one character is ever pushed back before reading again. (See FIO13-C. Never push back anything other than one read character.)

...

Code Block

bgColor	#ccccFF
lang	c

#include <locale.h>
#include <stdlib.h>
 
size_t utf8_to_ucs(wchar_t *ucs, size_t n, const char *utf8) {
  const char *save;
  save = setlocale(LC_CTYPE, "en_US.UTF-8");
  if (NULL == save) {
    /* Propagate error to caller. */
    return (size_t)-1;
  }

  n = mbstowcs(ucs, utf8, n);
  if (NULL == setlocale(LC_CTYPE, save))
    n = -1;

  return n;
}

...

Code Block

bgColor	#FFcccc
lang	c

#include <signal.h>
 
volatile sig_atomic_t interrupted;

void handle_interrupt(int signo) {
  interrupted = 1;
}

int f() {
  int result = 0;

  signal(SIGINT, handle_interrupt);

  while (0 == result && 0 == interrupted) {
    /* Perform a lengthy computation. */
  }

  /* Indicate success or failure. */
  return interrupted ? -1 : result;
}

...

Code Block

bgColor	#ccccFF
lang	c

#include <signal.h>
 
volatile sig_atomic_t interrupted;

void handle_interrupt(int signo) {
  interrupted = 1;
}

int f() {
  int result = 0;
  void (*saved_handler)(int);
  saved_handler = signal(SIGINT, handle_interrupt);

  if (SIG_ERR == saved_handler) {
    /* Indicate failure */
    return -1;
  }

  while (0 == result && 0 == interrupted) {
    /* Perform a lengthy computation. */
  }

  if (SIG_ERR == signal(SIGINT, saved_handler))
    return -1;

  /* Indicate success or failure. */
  return interrupted ? -1 : result;
}

...

Code Block

bgColor	#ccccff
lang	c

#include <stdlib.h>
#include <string.h>
 
typedef struct {
  char sig_desc[32];
} signal_info;
 
void func(size_t num_of_records, size_t temp_num,
          const char *tmp2) {
  signal_info *point;
  signal_info *start = (signal_info *)malloc(num_of_records *
                                           sizeof(signal_info));
  if (start == NULL) {
    /* Handle allocation error. */
  }
  point = start + temp_num - 1; 
  memcpy(point->sig_desc, tmp2, strlen(tmp2));
  /* ... */ 

}

...

In this noncompliant code example, input_string is copied into dynamically allocated memory referenced by str. However, the result of malloc() is not checked before str is referenced. Consequently, if malloc() fails, the program has undefined behavior. (See undefined behavior 109 in Annex J of the C Standard.) In practice, an abnormal termination of the process typically occurs, providing an opportunity for a denial-of-service attack. In some cases, it may be the source of other vulnerabilities, as well. (See the Related Vulnerabilities section.)

...

Code Block

bgColor	#ccccff
lang	c

#include <stdlib.h>
#include <string.h>
 
int f(char *input_string) {
  size_t size = strlen(input_string) + 1;
  char *str = (char *)malloc(size);
  if (str == NULL) {
    /* Handle allocation failure and return error status. */
    return -1;
  }
  strcpy(str, input_string);
  /* ... */
  free(str);
  return 0;
}

...

In this noncompliant code example, the fseek() function is used to set the file position to a location offset in the file referred to by file prior to reading a sequence of bytes from the file. However, if an I/O error occurs during the seek operation, the subsequent read will fill the buffer with the wrong contents.

...

Code Block

bgColor	#ccccff
lang	c

#include <stdio.h>
 
size_t read_at(FILE *file, long offset, void *buf,
               size_t nbytes) {
  if (fseek(file, offset, SEEK_SET) != 0) {
    /* Indicate error to caller. */
    return 0;
  }
  return fread(buf, 1, nbytes, file);
}

...

In the following noncompliant code example, snprinf() is assumed to succeed. However, if the call fails (for example, because of insufficient memory, as described in GNU libc bug 441945), the subsequent call to log_message() is likely to result in undefined behavior because the character buffer is not initialized and need not be null-terminated.

...

Code Block

bgColor	#ccccff
lang	c

#include <stdio.h>
#include <string.h>
 
extern void log_message(const char *);

void f(int i, int width, int prec) {
  char buf[40];
  int n;
  n = snprintf(buf, sizeof(buf), "i = %*.*i", width, prec, i);
  if (n < 0) {
    /* Handle snprintf() error. */
    strcpy(buf, "unknown error");
  }

  /* Null-terminate buffer in case of overflow. */
  buf[sizeof(buf) - 1] = '\0';    
  log_message(buf);
}

When the length of the formatted string is unbounded, it is best to invoke the function twice, once with a NULL buffer to determine the size of output, then dynamically allocate a buffer of sufficient size, and finally call snprintf() again to format the output into the dynamically allocated buffer. Even with this approach, the success of all calls still needs to be tested, and any errors still need to must be appropriately handled. A possible optimization is to first attempt to format the string into a reasonably small buffer allocated on the stack and, only when the buffer turns out to be too small, allocate one of a sufficient size dynamically. This approach is shown in the following compliant solution:

Note that this solution uses the goto statement, as suggested in MEM12-C. Consider using a goto chain when leaving a function on error when using and releasing resources.

...

Code Block

bgColor	#ccccff
lang	c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
extern void log_message(const char *); 
 
void f(int i, int width, int prec) {
  char buffer[20];
  char *buf = buffer;
  int n  = sizeof(buffer);
  const char fmt[] = "i = %*.*i";

  n = snprintf(buf, n, fmt, width, prec, i);
  if (n < 0) {
    /* Handle snprintf() error. */
    strcpy(buffer, "unknown error");
    goto write_log;
  }

  if (n < sizeof(buffer)) {
    goto write_log;
  }

  buf = (char *)malloc(n + 1);
  if (NULL == buf) {
    /* Handle malloc() error. */
    strcpy(buffer, "unknown error");
    goto write_log;
  }

  n = snprintf(buf, n, fmt, width, prec, i);
  if (n < 0) {
    /* Handle snprintf() error. */
    strcpy(buffer, "unknown error");
  }

write_log:
  log_message(buf);

  if (buf != buffer) {
    free(buf);
  }
}

...

EXP12-EX1: The exception from EXP12-C. Do not ignore values returned by functions still applies. If the return value is inconsequential or if any errors can be safely ignored, such as for functions called because of their side effects, the function should be explicitly cast to void to signify programmer intent. For an example of this exception, see "Compliant Solution (Remove Existing Destination File)" under "Portable Behavior" in FIO10-C. Take care when using the rename() function.

ERR33-EX1: Ignore the return value of a function that cannot fail or whose return value cannot signify that an error condition need not be diagnosed. For example, strcpy() is one such function.

...

Failing to detect error conditions can lead to unpredictable results, including abnormal program termination and denial-of-service attacks or, in some situations, could even allow an attacker to run arbitrary code.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
ERR33-C	highHigh	likelyLikely	mediumMedium	P18	L1

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

Can detect violations of this recommendation when checking for violations of EXP12-C. Do not ignore values returned by functions and EXP34-C. Do not dereference null pointers

Coverity

Include Page

	Coverity_V
	Coverity_V

CHECKED_RETURN

Finds inconsistencies in how function call return values are handled. Coverity Prevent cannot discover all violations of this recommendation, so further verification is necessary

Fortify SCA

5.0

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

80 D

Partially implemented

PRQA QA-C

Include Page

	PRQA_V
	PRQA_V

3200

Partially implemented

Related Vulnerabilities

The vulnerability in Adobe Flash [VU#159523] arises because Flash neglects to check the return value from calloc(). Even when calloc() returns NULL, Flash writes to an offset from the return value. Dereferencing NULL usually results in a program crash, but dereferencing an offset from NULL allows an exploit to succeed without crashing the program.

...

CERT C Secure Coding Standard	API04-C. Provide a consistent and usable error-checking mechanism ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy ERR02-C. Avoid in-band error indicators ERR05-C. Application-independent code should provide error detection without dictating error handling EXP12-C. Do not ignore values returned by functions FIO33-C. Detect and handle input output errors resulting in undefined behavior FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char) FLP03-C. Detect and handle floating-point errors FLP32-C. Prevent or detect domain and range errors in math functions
CERT C++ Secure Coding Standard	ERR10-CPP. Check for error conditions FIO04-CPP. Detect and handle input and output errors
ISO/IEC TR 17961 (Draft)	Failing to detect and handle standard library errors [liberr]
MITRE CWE	CWE-252, Unchecked return value CWE-253, Incorrect check of function return value CWE-390, Detection of error condition without action CWE-391, Unchecked error condition

...

[DHS 2006]	Handle All Errors Safely
[Henricson 1997]	Recommendation 12.1, "Check for All Errors Reported from Functions"
[ISO/IEC 9899:2011]	Subclause 7.21.7.10, "The `ungetc` Function"

...

Space shortcuts

Page tree

Versions Compared

Old Version 30

New Version 31

Key

Automated Detection

Related Vulnerabilities