SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 7

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A signal handler may only call signal() if it does not need to be async-safe (in other words, all relevant signals are masked, and it may therefore not be interrupted.)

Non-Compliant Code Example

In this non-compliant code example, the signal handler handler() is bound to signum.

...

If the environment is persistent (that is, it does not reset the handler when the signal is received), the handler's signal() function is redundant.

Compliant Solution

For persistent platforms, the handler's signal() function is unnecessary.

Code Block
bgColor#ccccff
void handler(int signum) {
  /* handling code */
}
/* ... */
signal(signum, handler);

Compliant Solution (POSIX)

POSIX defines the sigaction(2) function, which assigns handlers to signals like signal(2), but also allows one to explicitly set persistence. One can thus use sigaction(2) and sidestep the race window on non-persistent OS's.

...

In fact, POSIX recommends sigaction(2) and deprecates signal(2). Unfortunately, sigaction(2) is not C99-compliant, and is not supported on some platforms, including Windows.

Exceptions

SIG34-EX1: On a machine with persistent signal handlers, it is safe for a handler to modify the behavior for its own signal. This would include having the signal be ignored, reset to default behavior, or handled by a different handler. A handler assigning itself to its own signal is also safe, as it is a no-op. The handler is impervious to a race condition since multiple invocations of its signal will merely cause it to 'interrupt itself', until it manages to reassign its signal.

...

Not all systems have persistent signal handlers. For more info, see SIG01-A. Understand implementation-specific details regarding signal handler persistence

Risk Assessment

Two signals in quick succession can trigger the race condition on non-persistent platforms, thereby causing the signal's default behavior despite a handler's attempt to override it.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

SIG34-C

1 (low)

1 (unlikely)

3 (low)

P3

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999TR2|AA. C References#ISO/IEC 9899-1999]\] Section 7.14.1.1, "The {{signal}} function"

...