Software vulnerabilities can result when a programmer fails to consider all possible data states.
...
Noncompliant Code Example
This example fails to test for conditions where a is neither b nor c. This may be the correct behavior in this case, but failure to account for all the values of a may result in logic errors if a unexpectedly assumes a different value.
| Code Block | ||
|---|---|---|
| ||
if (a == b) {
/* ... */
}
else if (a == c) {
/* ... */
}
|
Compliant Solution
This compliant solution explicitly checks for the unexpected condition and handles it appropriately.
| Code Block | ||
|---|---|---|
| ||
if (a == b) {
/* ... */
}
else if (a == c) {
/* ... */
}
else {
/* handle error condition */
}
|
...
Noncompliant Code Example
This non-compliant noncompliant code example fails to consider all possible cases. This may be the correct behavior in this case, but failure to account for all the values of widget_type may result in logic errors if widget_type unexpectedly assumes a different value or if its valid range is expanded during code maintenance and the programmer overlooks the need to add a case to the switch.
...
| Code Block | ||
|---|---|---|
| ||
enum WidgetEnum { WE_W, WE_X, WE_Y, WE_Z } widget_type;
widget_type = 45;
switch (widget_type) {
case WE_X:
/* ... */
break;
case WE_Y:
/* ... */
break;
case WE_Z:
/* ... */
break;
}
|
Implementation Details
Microsoft Visual C++ .NET with /W4 does not warn when assigning an integer value to an enum type, or when the switch statement does not contain all possible values of the enumeration.
Compliant Solution
This compliant solution explicitly checks for the unexpected condition by adding a default clause to the switch statement.
...
Adding a default case to a switch statement, even when all possible switch labels are specified, is an allowable exception (MSC07-EX1) to MSC07-AC. Detect and remove dead code, as the unreachable code is added as a precautionary measure.
Historical Discussion
This practice has been a subject of debate for some time, but a clear direction has emerged.
...
Existing implementations are in transition, with some not yet analyzing switch statements with default labels. Developers must take extra care to check their own switch statements until the new practice becomes universal.
Risk Assessment
Failing to take into account all possibilities within a logic statement can lead to a corrupted running state, potentially resulting in unintentional information disclosure or abnormal termination.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC01-A C | medium | probable | medium | P8 | L2 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to can detect violations of this recommendation.
...
| Code Block | ||
|---|---|---|
| ||
if (x > 0) {
/* ... */
} else if (x < 0) {
/* ... */
} else if (x == 0) {
/* ... */
}
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Hatton 95|AA. C References#Hatton 95]\] Section 2.7.2, "Errors of omission and addition" \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "CLL Switch statements and static analysis" \[[Viega 05|AA. C References#Viega 05]\] Section 5.2.17, "Failure to account for default case in switch" |
...