SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 38

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 39

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If something_really_bad_happens in g(), the function prints an error message to stderr and then calls abort(). The problem is that this application-independent code does not know the context in which it is being called, so it is erroneous to handle the error.

Wiki Markup
\[[Miller 042004|AA. Bibliography#Miller 04]\], Practice 23 says:

When a library aborts due to some kind of anomaly, it is saying there is no hope for execution to proceed normally beyond the point where the anomaly is detected. Nonetheless, it is dictatorially making this decision on behalf of the client. Even if the anomaly turns out to be some kind of internal bug in the library, which obviously cannot be resolved in the current execution, aborting is a bad thing to do. The fact is, a library developer cannot possibly know the fault-tolerant context in which his/her library is being used. The client may indeed be able to recover from the situation even if the library cannot.

...

A return type of errno_t indicates that the function returns a status indicator. (see See recommendation DCL09-C. Declare functions that return errno with a return type of errno_t.).

While this error handling approach is secure, it has the following drawbacks:

  • Wiki Markup
    Source and object code can significantly increase in size, perhaps by as much as 30 to 40 percent \[[Saks 07b2007b|AA. Bibliography#Saks 07b]\].
  • All function return values must be checked. (see See rule MEM32-C. Detect and handle memory allocation errors.).
  • Functions should not return other values if they return error indicators. (see See recommendation ERR02-C. Avoid in-band error indicators.)
  • Any function that allocates resources must ensure they are freed in_cases where errors occur.

...

The following example uses setjmp() and longjmp() to ensure that control flow is disrupted in the event of error, and also uses the my_errno indicator from the previous example. See recommendation MSC22-C. Use the setjmp(), longjmp() facility securely for more info on setjmp() and longjmp().

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ERR05-C

medium

probable

high

P4

L3

Automated Detection

Tool

Version

Checker

Description

Section

Compass/ROSE

 

 

Section

could detect violations of this rule merely by reporting functions that call abort(), exit(), or _Exit() inside an if or switch statement. This would also catch many false positives, as ROSE could not distinguish a library function from an application function

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

CERT This rule appears in the C++ Secure Coding Standard as : ERR05-CPP. Application-independent code should provide error detection without dictating error handling.

Bibliography

Wiki Markup
\[[Miller 042004|AA. Bibliography#Miller 04]\]
\[[Saks 07b2007b|AA. Bibliography#Saks 07b]\]

...