Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed to JG and fixed some links

...

In Java, the best way to indicate an exceptional situation is by throwing an exception rather than by returning an error code. Exceptions cannot be ignored in the same way that error codes can, and exceptions are propagated across scopes. When using exceptions, the error-detection and error-handling code is kept separate from the main flow of control. Also, exceptions can be used in situations where error codes cannot be returned (in constructors, for example).

Noncompliant Code Example

This noncompliant code example attempts to read into an array of characters and add an extra character into the buffer immediately after the characters read.

Code Block
bgColor#FFCCCC

static final int MAX = 21;
static final int MAX_READ = MAX - 1;
static final char TERMINATOR = '\\';
int read;
char [] chBuff = new char [MAX];
BufferedReader buffRdr;

// set up buffRdr

read = buffRdr.read(chBuff, 0, MAX_READ);
chBuff[read] = TERMINATOR;

However, if the input buffer is initially at end-of-file, then the read method will return ?1 and the attempt to place the terminator character will throw an ArrayIndexOutOfBoundsException.

Compliant Solution (Extending)

This compliant solution defines a SafeBufferedReader class and introduces a readSafe method that throws an exception if end-of-file is detected.

Code Block
bgColor#ccccff

class SafeBufferedReader extends BufferedReader {
   SafeBufferedReader(Reader in) {
      super(in);
   }

   public int readSafe(char[] cbuf, int off, int len) throws EOFException {
      int read = read(cbuf, off, len);
      if (read == -1) {
         throw new EOFException();
      } else {
         return read;
      }
   }
}

// ...

SafeBufferedReader safeBuffRdr;

try {
   read = safeBuffRdr.readSafe(chBuff, 0, MAX_READ);
   chBuff[read] = TERMINATOR;
} catch (EOFException eof) {
   chBuff[0] = TERMINATOR;
}

Compliant Solution (Wrapping)

This compliant solution defines a readSafe method that wraps the original read method and throws an exception if end-of-file is detected.

Code Block
bgColor#ccccff

public static int readSafe(BufferedReader buffer, char[] cbuf, int off, int len) throws IOException {
  int read = buffer.read(cbuf, off, len);
  if (read == -1) {
     throw new EOFException();
  } else {
     return read;
  }
}

// ...

BufferedReader buffRdr;

// set up buffRdr

try {
   read = readSafe(buffRdr, chBuff, 0, MAX_READ);
   chBuff[read] = TERMINATOR;
} catch (EOFException eof) {
   chBuff[0] = TERMINATOR;
}

Risk Assessment

Using in-band error indicators may result in programmers failing to check status codes or using incorrect return values, resulting in undefined behavior.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

ERR53ERR52-J JG

low

probable

high

P2

L3

Automated Detection

Given the comparatively rare occurrence of in-band error indicators in Java, it may be possible to compile a list of all methods that use them and automatically detect their use. However, detecting the safe use of in-band error indicators is not feasible.

Related

...

Guidelines

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Other Languages

This guideline appears in the C Secure Coding Standard as : ERR02-C. Avoid in-band error indicators and in the

C++ Secure Coding Standard as : ERR07-CPP. Use exception handling rather than error codes.

Bibliography

[API 2006]

Class Reader

[JLS 2011]

Chapter 11, Exceptions