...
- a return value (especially of type
errno_t) - an argument passed by address
- a global object (e.g., errno)
longjmp()- some combination of the above
Non-Compliant Code Example
This non-compliant code example consists of two application-independent functions f() and g(). The f() function is part of the external API for the module; the g() function is an internal function.
...
It is equally bad to eliminate the call to abort() from g(). In this case, there is no indication back to the calling function that any error has occurred.
Compliant Solution (Return Value)
One way to indicate errors is to return a value indicating success or errors. This compliant solution changes each function to return a value of type errno_t, where 0 indicates that no error has occurred.
...
Wiki Markup Source and object code can significantly increase in size, perhaps by as much as 30-40% \[[Saks 07b|AA. C References#Saks 07b]\]
- All function return values must be checked (see MEM32-C. Detect and handle memory allocation errors among many others.)
- Functions should not return other values if they return error indicators (see ERR02-A. Avoid in-band error indicators.)
- Any function that allocates resources must ensure they are freed incases where errors occur.
Compliant Solution (Address Argument)
Instead of encoding status indicators in the return value, each function can take a pointer as an argument, which is used to indicate errors. In the following example, each function uses a errno_t* argument to report errors.
...
- A return status can only be returned if the caller provides a valid pointer to an object of type
errno_t. If this argument is NULL, there is no way to indicate this error. - Source code becomes even larger due to the possibilities of receiving a null pointer.
- All error indicators must be checked after calling functions.
- Any function that allocates resources must ensure they are freed in cases where errors occur.
- Unlike return values, static analysis tools generally do not diagnose a failure to check error indicators passed as argument pointers.
Compliant Solution (Global Error Indicator)
Instead of encoding error indicators in the return value or arguments, a functions can indicate its status by assigning a value to a global variable. In the following example, each function uses a static indicator called my_errno.
...
For these reasons, among others, this approach is generally discouraged.
Compliant Solution ( setjmp() and longjmp() )
C provides two functions, setjmp() and longjmp(), that can be used to alter control flow. This allows a user of these functions to ignore error values and trust that control flow will be correctly diverted in the event of error.
...
- Source code will not become significantly larger because function signatures do not change, and neither do functions that neither detect nor handle the error.
- Allocated resources must still be freed despite the error.
- The application must call
setjmp()before invoking application-independent code. - Signals are not necessarily preserved through
longjmp()calls. - The use of
setjmp()/longjmp()bypasses the normal function call and return discipline. - Any function that allocates resources must ensure they are freed in cases where errors occur.
Summary
Method | Code Increase | Manages Allocated Resources | Automatically Enforceable |
|---|---|---|---|
Return Value | Big (30-40%) | no | yes |
Address Argument | Bigger | no | no |
Global Indicator | Medium | no | yes |
| Small | no | n/a |
Risk Analysis
Lack of an error detection mechanism prevents applications from knowing when an error has disrupted normal program behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR05-A | high | likely | high | P9 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Miller 04|AA. C References#Miller 04]\] \[[Saks 07b|AA. C References#Saks 07b]\] |
...