Page History

The C Standard provides three functions that cause an application to terminate normally: _Exit(), exit(), and quick_exit(). These are collectively called exit functions. When the exit() function is called, or control transfers out of the main() entry point function, functions registered with atexit() are called (but not at_quick_exit()). When the quick_exit() function is called, functions registered with at_quick_exit() (but not atexit()) are called. These functions are collectively called exit handlers.  When the _Exit() function is called, no exit handlers or signal handlers are called.

Exit handlers must terminate No atexit() registered handler should terminate in any way other than by returning. It is important and potentially safety-critical for all the atexit() exit handlers to be allowed to perform their cleanup actions. This is particularly true because the application programmer does not always know about handlers that may have been installed by support libraries. Two specific issues include nested calls to an exit ()function and terminating a call to an atexit() registered exit handler by invoking longjmp.

The C99 exit() function is used for normal program termination (see ERR04-C. Choose an appropriate termination strategy). Nested calls to exit() result in undefined behavior (see also undefined behavior #172 in Annex J). This can only occur when exit() is invoked from a function registered with atexit(), or when exit() A nested call to an exit function is undefined behavior. (See undefined behavior 182.) This behavior can occur only when an exit function is invoked from an exit handler or when an exit function is called from within a signal handler. (see See SIG30-C. Call only asynchronous-safe functions within signal handlers.).

If a call to the longjmp() function is made that would terminate the call to a function registered with atexit(), the behavior is undefined.

Noncompliant Code Example

In this noncompliant code example, the exit1() and exit2() functions are registered by atexit() to perform required cleanup upon program termination. However, if some_condition evaluates to true, exit() is called a second time, resulting in undefined behavior.

#include <stdio.h>
#include <stdlib.h>

void exit1(void) {
  /* ...cleanup Cleanup code ... */
  return;
}
 
void exit2(void) {
  extern int some_condition;
  if (/* condition */some_condition) {
    /* ...more More cleanup code ... */
    exit(0);
  }
  return;
}

int main(void) {
  if (atexit(exit1) != 0) {
    /* Handle error */
  }
  if (atexit(exit2) != 0) {
    /* Handle error */
  }
  /* ...program Program code ... */
  return exit(0);
}

Because all functions Functions registered by the atexit() function are called in the reverse order of their registrationfrom which they were registered. Consequently, if exit2() exits in any way other than by returning, exit1() will not be executed. This The same may also be true for atexit() handlers installed by support libraries.

Compliant Solution

A function that is registered as an exit handler by atexit() must exit by returning, and not in any other manner.as in this compliant solution:

#include <stdio.h>
#include <stdlib.h>

void exit1(void) {
  /* ...cleanup Cleanup code ... */
  return;
}
 
void exit2(void) {
  extern int some_condition;
  if (/* condition */some_condition) {
    /* ...more More cleanup code ... */
  }
  return;
}

int main(void) {
  if (atexit(exit1) != 0) {
    /* Handle error */
  }
  if (atexit(exit2) != 0) {
    /* Handle error */
  }
  /* ...program Program code ... */
  exit(return 0);
}

Noncompliant Code Example

The function In this noncompliant code example, exit1() is registered by atexit(), so that upon program termination, exit1() is called. Execution will jump The exit1() function jumps back to main() and to return, with undefined results.

#include <stdio.h>
#include <stdlib.h>
#include <setjmp.h>

jmp_buf env;
int val;

void exit1(void) {
  /* ... */
  longjmp(env, 1);
}

int main(void) {
  if (atexit(exit1) != 0) {
    /* Handle error */
  }
  /* ... */
  if (setjmp(env) == 0) {
    exit(0);
  }
  else {
    return 0;
  }
}

Compliant Solution

Careful thought about program flow is the best prevention for an invalid call to This compliant solution does not call longjmp(). After the exit function has been called, avoid using longjmp() where it will cause a function to terminate.but instead returns from the exit handler normally:

#include <stdlib.h>

void exit1(void) {
  /* ... */
  return;
}

int main(void) {
  if (atexit(exit1) != 0) {
    /* Handle error */
  }
  /* ... */
  exit(0)return 0;
}

Risk Assessment

Terminating a call to an atexit() registered exit handler in any way other than by returning results in is undefined behavior and may result in abnormal program termination or other unpredictable behavior. It may also prevent other registered handlers from being invoked.

Automated Detection

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as ENV32-CPP. All atexit handlers must return normally.

References

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]  Section 7.20.4.3, "The {{exit}} function"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "EWD Structured Programming" and "REU Termination Strategy"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 705|http://cwe.mitre.org/data/definitions/705.html], "Incorrect Control Flow Scoping"

Related Guidelines

Key here (explains table format and definitions)

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-705 and ENV32-C

CWE-705 = Union( ENV32-C, list) where list =

• Improper control flow besides a non-returning exit handler

...

Image Added Image Added Image AddedImage Removed      10. Environment (ENV)      11. Signals (SIG)