Software vulnerabilities can result when a programmer fails to consider all possible data states.
Noncompliant Code Example (
...
If Chain)
This noncompliant code example fails to test for conditions where a is neither b nor c. This may be the correct behavior in this case, but failure to account for all the values of a may result in logic errors if a unexpectedly assumes a different value.
| Code Block | ||
|---|---|---|
| ||
if (a == b) {
/* ... */
}
else if (a == c) {
/* ... */
}
|
Compliant Solution (
...
If Chain)
This compliant solution explicitly checks for the unexpected condition and handles it appropriately.
| Code Block | ||
|---|---|---|
| ||
if (a == b) {
/* ... */
}
else if (a == c) {
/* ... */
}
else {
/* handle error condition */
}
|
Noncompliant Code Example (
...
Switch)
This noncompliant code example fails to consider all possible cases. This may be the correct behavior in this case, but failure to account for all the values of widget_type may result in logic errors if widget_type unexpectedly assumes a different value or if its valid range is expanded during code maintenance and the programmer overlooks the need to add a case to the switch.
This is particularly problematic in C , because an identifier declared as an enumeration constant has type int. As a result, a programmer can accidentally assign an arbitrary integer value to an enum type, as shown in this example.
...
Microsoft Visual C++ .NET with /W4 does not warn when assigning an integer value to an enum type, or when the switch statement does not contain all possible values of the enumeration.
Compliant Solution (
...
Switch)
This compliant solution explicitly checks for the unexpected condition by adding a default clause to the switch statement.
...
Adding a default case to a switch statement, even when all possible switch labels are specified, is an allowable exception (MSC07-EX1) to guideline MSC07-C. Detect and remove dead code, as the unreachable code is added as a precautionary measure.
...
Compass/ROSE can detect some violations of this recommendation. In particular it flags switch statements that do not have a default clause. ROSE should also detect '"fake switches' " as well...that is, a chain of if statements each checking the value of the same variable. These if statements should always end in an '"else' " clause, or they should mathematically cover every possibility. For instance, consider the following:
| Code Block | ||
|---|---|---|
| ||
if (x > 0) {
/* ... */
} else if (x < 0) {
/* ... */
} else if (x == 0) {
/* ... */
}
|
Klocwork can detect violations of this rule with the LA_UNUSED checker.  . See Klocwork Cross Reference.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
Related Guidelines
This rule appears in the C++ Secure Coding Standard as : MSC01-CPP. Strive for logical completeness.
Bibliography
| Wiki Markup |
|---|
\[[Hatton 95|AA. Bibliography#Hatton 95]\] Section 2.7.2, "Errors of omission and addition" \[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "CLL Switch statements and static analysis" \[[Viega 05|AA. Bibliography#Viega 05]\] Section 5.2.17, "Failure to account for default case in switch" \[[http://www.aeroxp.org/2009/01/lesson-on-infinite-loops]\] for analysis on the Zune 30 bug |
...