Page History

[TR24731-1] provides a consistent mechanism to handle constraints violations that are discerned at runtime. Most functions defined by [TR24731-1] include the C Standard, Annex K Bounds-checking interfaces, include, as part of their specification, a list of runtime -constraintsconstraints, violations of which can be consistently handled at runtime. Library implementations must verify that the runtime - constraints for a function are not violated by the program. If a runtime - constraint is violated, the runtime-constraint handler currently registered with set_constraint_handler_s() is called.

Annex K, subclause K.3.6.1.1, of the C Standard [ISO/IEC 9899:2011] states:

When the handler is called, it is passed the following arguments in the following order:

1. A pointer to a character string describing the runtime-constraint violation.
2. A

...

1. null pointer or a pointer to an implementation-defined object.
2. If the function calling the handler has a return type declared as errno_t, the return value of the function is passed. Otherwise, a positive value of type errno_t is passed.

The implementation has a default constraint handler that is used if no calls to the set_constraint_handler_s() function have been made or the handler argument to set_constraint_handler_s() is a

...

null pointer. The behavior of the default handler is implementation-defined, and it may cause the program to exit or abort.

Section 6And subclause K.3.1.4 states:

These runtime-constraints are requirements on the program using the library.

and

The runtime-constraint handler might not return. If the handler does return, the library function whose runtime-constraint was violated shall return some indication of failure as given by the returns section in the function's specification.

...

These runtime -constraint handlers mitigate some of the potential insecurity caused by in-band error indicators (see \[[. (See ERR02-AC. Avoid in-band error indicators]\].).

...

Noncompliant Code Example (C11 Annex K)

In this non-compliant noncompliant code example, the strcpy_s() function is called, but no runtime-constraint handler has been explicitly registered. As a result, the implementation-defined default handler will be is called on a run-time runtime error.

errno_t function(char *dst1, size_t size){
  char src1[100] = "hello";

  if (strcpy_s(dst1, size, src1) != 0) {
    return -1;
  }
  /* ... */
  return 0;
}

This will The result in inconsistent is inconsistent behavior across implementations and possible termination of the program instead of a graceful exit. The implementation-defined default handler performs a default action consistent with a particular implementation. However, this may not be the desired action, and because the behavior is implementation-defined, it is not guaranteed to be the same on all implementations.

As a result, in is generally It is therefore prudent to explicitly install a runruntime-time constraint handler to ensure consistent behavior across implementations.

Compliant

...

Solution (C11 Annex K)

This compliant solution explicitly installs a runtime-constraint handler by invoking the set_constraint_handler_s() function. This It would typically be performed during system initialization , and before any functions that used the mechanism were invoked.

constraint_handler_t handle_errors(void) {
  /* handleHandle runtime-constraint error */
}

/* ... */

set_constraint_handler_s(handle_errors);

/* ... */

/* Returns zero on success */
errno_t function(char *dst1, size_t size){
  char src1[100] = "hello";

  if (strcpy_s(dst1, size, src1) != 0) {
    return -1;
  }
  /* ... */
  return 0;
}

Compliant

...

Solution (Visual Studio 2008

...

and later)

Unfortunately, although the ISO/IEC TR 24731-1 Although the C11 Annex K functions were created by Microsoft, currently available versions of Microsoft Visual Studio do does not support the same interface defined by the TR technical report for installing runruntime-time constraint handlers. Visual Studio calls these functions "invalid parameter handlers" , and they are installed by calling the _set_invalid_parameter_handler() function. The signature of the handler is also significantly different [MSDN].

_invalid_parameter_handler handle_errors(
   const wchar_t* expression,
   const wchar_t* function,
   const wchar_t* file,
   unsigned int line,
   uintptr_t pReserved
) {
  /* handleHandle invalid parameter */
}

/* ... */

_set_invalid_parameter_handler(handle_errors)

/* ... */

errno_t function(char *dst1, size_t size) {
  char src1[100] = "hello";

  if (strcpy_s(dst1, size, src1) != 0) {
    return -1;
  }
  /* ...  */
  return 0;
}

Risk

...

Assessment

C11 Annex K The TR24731-1 standard indicates that if no constraint handler is set, a default one executes when errors arise. The default handler is implementation-defined and "may cause the program to exit or abort" [ISO/IEC 9899:2011]. It is important to understand the behavior of the default handler for all implementations being used , and replace it if the behavior is inappropriate for the application.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\] Section 6.1.4, "Runtime-constraint violations"
\[[MSDN|AA. C References#MSDN]\] "[Parameter Validation|http://msdn.microsoft.com/en-us/library/ksazx244.aspx]"

Related Guidelines

Bibliography

...

Image Added Image Added Image AddedERR02-A. Avoid in-band error indicators      12. Error Handling (ERR)       ERR04-A. Choose an appropriate termination strategy