SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 15

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
int i;
rsize_t count = 0;
errno_t err;

for (i = 0; i < 9; ++i) {
  if ((err = sprintf_m( buf + count, "%02x ", &count,
                        ((u8 *)&slreg_num)[i])) != 0) {
    /* handle print error */
  }
}
if ((err = sprintf_m( buf + count, "%02x ", &count,
                      ((u8 *)&slreg_num)[i]) ) != 0) {
  /* handle print error */
}

Exceptions

ERR02-EX1: Null pointers are another example of an in-band error indicator. Use of the null pointers is not quite as bad because it is supported for by the language. According to C99 Section 6.3.2.3, "Pointers":

If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.

ERR02-EX2: One may use a function returning in-band error indicators if one can securely guarantee the program will not try to continue processing should an error occur in the function.

For example, the functions defined in TR24731-1 provide hooks for internal constraint violations. If a constraint violation handler is guarenteed not to return upon an error occurring, then one may safely ignore errors returned by these functions. One might accomplish this by having the constraint violation handler call abort(), or longjmp(), for instance.

...

Non-Compliant Code Example (TR24731-1)
 Code Block
bgColor#FFCCCC
constraint_handler_t handle_errors() {
  constraint_handler_t data;
  /* define what to do when error occurs */
  return data;
}

/*...*/

set_constraint_handler(handle_errors);

/*...*/

/* Returns zero on success */
errno_t function(char* dst1){
  char src1[100] = "hello";

  strcpy_s( dst1, sizeof(dst1), src1);
  /* At this point strcpy_s may have yielded an
     error and handle_errors() might have returned */

  /* ... */
  return 0;
}

...
 Code Block
bgColor#CCCCFF
constraint_handler_t handle_errors() {
  /* define what to do when error occurs */
  abort();
}

/*...*/

set_constraint_handler(handle_errors);

/*...*/

/* Returns zero on success */
errno_t function(char* dst1){
  char src1[100] = "hello";

  strcpy_s( dst1, sizeof(dst1), src1);
  /* since handle_errors() never returns,
     we only get here if strcpy_s() succeeds. */

  /* ... */
  return 0;
}

...
 Recommendation 
 Severity 
 Likelihood 
 Remediation Cost 
 Priority 
 Level 
 ERR02-A 
 low 
 unlikely 
 high 
 P1 
 L3 
Exceptions
ERR02-EX1: Null pointers are another example of an in-band error indicator. Use of the null pointers is not quite as bad because it is supported for by the language. According to C99 Section 6.3.2.3, "Pointers":
If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.
ERR02-EX2: One may use a function returning in-band error indicators if one can securely guarantee the program will not try to continue processing should an error occur in the function.
For example, the functions defined in TR24731-1 provide hooks for internal constraint violations. If a constraint violation handler is guaranteed not to return upon an error occurring, then one may safely ignore errors returned by these functions. One might accomplish this by having the constraint violation handler call abort(), or longjmp(), for instance.
See ERR03-A. Use runtime-constraint handlers when calling functions defined by TR24731-1 for more on the functions defined in TR24731-1.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...