Page History

...

The following table shows a list of C standard library functions that provide limited or no error checking and reporting along with preferable alternatives:

Noncompliant Code Example (atoi())

...

int si;

if (argc > 1) {
  si = atoi(argv[1]);
}

The atoi(), atol(), and atoll() functions convert the initial portion of a string token to int, long int, and long long int representation respectively. Except for the behavior on error, they are equivalent as follows:

Unfortunately, atoi() and related functions lack a mechanism for reporting errors for invalid values. Specifically, the atoi(), atol(), and atoll() functions

• Do not need to set errno on an error.
• Have BB. Definitions#undefined undefined behavior if the value of the result cannot be represented. (See CC. Undefined Behavior#ub_undefined behavior 119 of Annex J of the C Standard.)
• Return 0 if the string does not represent an integer (which is indistinguishable from a correctly formatted, zero-denoting input string), but the C Standard only specifies the behavior of these functions on success.

...

long sl;
int si;
char *end_ptr;

if (argc > 1) {
  errno = 0;

  sl = strtol(argv[1], &end_ptr, 10);

  if ((sl == LONG_MIN || sl == LONG_MAX)
   && errno != 0)
  {
    perror("strtol error");
  }
  else if (end_ptr == argv[1]) {
    if (puts("error encountered during conversion") == EOF) {
      /* Handle error */
    }
  }
  else if (sl > INT_MAX) {
    printf("%ld too large!\n", sl);
  }
  else if (sl < INT_MIN) {
    printf("%ld too small!\n", sl);
  }
  else if ('\0' != *end_ptr) {
    if (puts("extra characters on input line\n") == EOF) {
      /* Handle error */
    }
  }
  else {
    si = (int)sl;
  }
}

Both the noncompliant code example and the compliant solution are taken from INT06ERR34-C. Use strtol() or a related function to convert a string token to an integerDetect errors when converting a string to a number.

Noncompliant Code Example (rewind())

...

char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "r");
if (fp == NULL) {
  /* Handle open error */
}

/* Read data */

rewind(fp);

/* Continue */

It is impossible to determine if rewind() succeeded.

...

char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "r");
if (fp == NULL) {
  /* Handle open error */
}

/* Read data */

if (fseek(fp, 0L, SEEK_SET) != 0) {
  /* Handle repositioning error */
}

/* Continue */

Noncompliant Code Example (setbuf())

...

FILE *file;
/* Setup file */
setbuf(file, NULL);
/* ... */

It is not possible to determine if the call to setbuf() succeeded.

...

FILE *file;
char *buf = NULL;
/* Setup file */
if (setvbuf(file, buf, buf ? _IOFBF : _IONBF, BUFSIZ) != 0) {
  /* Handle error */
}
/* ... */

Risk Assessment

Although it is rare for a violation of this rule to result in a security BB. Definitions#vulnerability vulnerability, it can easily result in lost or misinterpreted data.

Automated Detection

This rule in general cannot be detected, although various examples can be detected by simply scanning for functions that have equivalent functions with better error handling.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...

...

Image Modified Image Modified Image Modified