There are situations in which a function may return an array based on its array on the basis of its length. In the case that If an array of length zero is being returned, NULL should not be used. An empty array must be used to ensure the caller function can handle the return value correctly.
While Although C does not keep track of the length of an array, two popular methods have emerged to emulate this behavior. The first is to wrap the array in a struct with an integer storing the length. The second is to place a sentinel value at the end of the data in the array. This second approach is most commonly manifested in null-terminated byte strings (NTBSNTBSs).
Noncompliant Code Example (Struct)
In the this noncompliant code example below, there is an inventory system keeping keeps track of the total number of different items (denoted length). Each item is given an index in the array, and the value for that index is the stock of that item. Adding a new item would increase increases length in the struct. Stocking more of an item would increase increases the value for that item's index. For example, if 5 books and 2 erasers were in stock, the inventory would be stockOfItem[0] = 5 and stockOfItem[1] = 2, assuming books were index 0 and erasers were index 1.
The problem arises in this setup when no items are being stocked. getStock would recognize that length = 0 and thus would return NULL. In this noncompliant code example, erroneous behavior results from getStock returning NULL while main neglects to check for such a value. This It results in an abnormal program termination after returning to the main function.
...
Noncompliant Code Example (Sentinel Value)
The This noncompliant code below implements example implements an inventory system similar to the one described abovepreviously. However, instead of storing the length of the array in a struct, a sentinel value of FINAL_ITEM is used. The value for the index following the last item is set as FINAL_ITEM. It is assumed that out-of-stock items (assigned value 0) are removed from the array, and the contents of later items are shifted to lower indexes.
The example below attempts The following code attempts to return an array of the items in stock, sorted by the amount of each item in stock. The arraySort function incorrectly returns NULL instead of a pointer to an empty array when no items are in stock. This will be improperly The null return is improperly handled by the main function, which is attempting to print out the returned array. This will result in an , and an abnormal program termination results.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
enum { FINAL_ITEM=SIZE_MAX, INV_SIZE=20 };
size_t *arraySort(size_t *array);
int main(void) {
size_t i;
size_t stockOfItem[INV_SIZE];
size_t *sortedArray;
/* Other code that might use stockarray but leaves it empty */
sortedArray = arraySort(stockOfItem);
for (i = 0; sortedArray[i] != FINAL_ITEM; i++) {
printf("Item stock: %d", sortedArray[i]);
}
return 0;
}
/* Create new sorted array */
size_t *arraySort(size_t *array) {
size_t i;
size_t *sortedArray
for(i = 0; array[i] != FINAL_ITEM; i++);
if (i == 0) {
return NULL;
}
sortedArray = (size_t*) malloc(sizeof(size_t)*i);
if (sortedArray == NULL) {
/* Handle memory error */
}
/* Add sorted data to array*/
}
|
...
Compliant Solution (Sentinel Value)
The example below correctly This compliant solution correctly returns an empty array in the sortedArray function. If the size of the array is zero, then sortedArray allocates an array of size 1 and fills it with the sentinel value. It can then successfully return that array to the caller function.
...
Returning NULL rather than a zero-length array can lead to vulnerabilities when the client code does not handle NULL properly. This Abnormal program termination can result in abnormal program termination when the calling function performs operations on NULL.
...
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
...
Sources
[Bloch 2008] Item 43: return Return empty arrays or collections, not nulls
...