...
| Code Block | ||
|---|---|---|
| ||
int i;
rsize_t count = 0;
errno_t err;
for (i = 0; i < 9; ++i) {
if ((err = sprintf_m(buf + count, "%02x ", &count,
((u8 *)&slreg_num)[i])) != 0) {
/* handle print error */
}
}
if ((err = sprintf_m(buf + count, "%02x ", &count,
((u8 *)&slreg_num)[i]) ) != 0) {
/* handle print error */
}
|
Exceptions
ERR02-EX1: Null pointers are another example of an in-band error indicator. Use of the null pointers is not quite as bad because it is supported for by the language. According to C99 Section 6.3.2.3, "Pointers":
If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.
ERR02-EX2: One may use a function returning in-band error indicators if one can securely guarantee the program will not try to continue processing should an error occur in the function.
For example, the functions defined in TR24731-1 provide hooks for internal constraint violations. If a constraint violation handler is guaranteed not to return upon an error occurring, then one may safely ignore errors returned by these functions. One might accomplish this by having the constraint violation handler call abort(), or longjmp(), for instance.
See ERR03-A. Use runtime-constraint handlers when calling functions defined by TR24731-1 for more on the functions defined in TR24731-1.
Non-Compliant Code Example (TR24731-1)
In this example, the error handler returns normally, while the strcpy_s() function's return value is not checked.
| Code Block | ||
|---|---|---|
| ||
constraint_handler_t handle_errors() {
constraint_handler_t data;
/* define what to do when error occurs */
return data;
}
/*...*/
set_constraint_handler(handle_errors);
/*...*/
/* Returns zero on success */
errno_t function(char* dst1){
char src1[100] = "hello";
strcpy_s(dst1, sizeof(dst1), src1);
/* At this point strcpy_s may have yielded an
error and handle_errors() might have returned */
/* ... */
return 0;
}
|
Compliant Code Example (TR24731-1)
Here the code is rectified by having the error handler terminate the program, which ensures that strcpy_s() actually never returns unless it worked perfectly.
| Code Block | ||
|---|---|---|
| ||
/*
* The abort_handler_s() function writes a message on the
* standard error stream then calls the abort() function.
*/
set_constraint_handler(abort_handler_s);
/*...*/
/* Returns zero on success */
errno_t function(char* dst1){
char src1[100] = "hello";
strcpy_s(dst1, sizeof(dst1), src1);
/* Because handle_errors() never returns,
we only get here if strcpy_s() succeeds. */
/* ... */
return 0;
}
|
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR02-A | low | unlikely | high | P1 | L3 |
Exceptions
ERR02-EX1: Null pointers are another example of an in-band error indicator. Use of the null pointers is not quite as bad because it is supported for by the language. According to C99 Section 6.3.2.3, "Pointers":
If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.
ERR02-EX2: One may use a function returning in-band error indicators if one can securely guarantee the program will not try to continue processing should an error occur in the function.
For example, the functions defined in TR24731-1 provide hooks for internal constraint violations. If a constraint violation handler is guaranteed not to return upon an error occurring, then one may safely ignore errors returned by these functions. One might accomplish this by having the constraint violation handler call abort(), or longjmp(), for instance.
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...