...
In this noncompliant code example, if the given user input is ' 0', the division operation results in sends a SIGFPE signal being sent to the program.
| Code Block | ||
|---|---|---|
| ||
#include<signal.h>
#include<stddef.h>
#include<stdlib.h>
volatile sig_atomic_t denom;
void sighandle(int s){
/* Fix the offending volatile */
if (denom == 0) {
denom = 1;
}
/* Everything is ok */
return;
}
int main(int argc, char *argv[]){
int result = 0;
if (argc < 2) {
return 0;
}
denom = (int)strtol(argv[1], (char **)NULL, 10);
signal(SIGFPE,(*sighandle));
result = 100/denom;
return 0;
}
|
The noncompliant code example will loop infinitely on input 0 when compiled with GCC 4.3 or GCC 3.4. This illustrates that even when a SIGFPE handler attempts to fix the error condition while obeying all other rules of signal handling, the program still does not behave as expected.
Compliant Solution
The In the compliant solution, the only portably safe way to leave a SIGFPE, SIGILL, or SIGSEGV handler is through abort() or /_Exit(). In the case of SIGFPE, the default handler calls abort(), so no user-defined handler is actually needed. The handler shown is only for consistency.
...
Some implementations define useful behavior for programs that return from one or more of these signal handlers. For example, Solaris provides the sigfpe() function specifically to set a SIGFPE handler that a program may safely return from. Sun also provides platform-specific computational exceptions for the SIGTRAP, SIGBUS, and SIGEMT signals. Finally, GNU libsigsegv takes advantage of the ability to return from a SIGSEGV handler to implement page-level memory management in user mode.
Risk Assessment
Attempting Code that attempts to handle SIGSEGV, SIGILL, or SIGFPE signals is rare. However, code that does rely on handling these signals will usually require a redesign to fix the problem.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SIG35-C | low | unlikely | high | P3 | L3 |
...