SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 59

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft C/C++test 2024.1

Avoid in-band error indicators while designing interfaces. This practice is commonly used by C library functions but is not recommended. One example from the C Standard of a troublesome in-band error indicator is EOF.  (See see FIO34-C. Distinguish between characters read from a file and EOF or WEOF). Another problematic use of in-band error indicators from the C Standard involving the size_t and time_t types is described by 

...

Code Block
bgColor#FFCCCC
langc
constraint_handler_t handle_errors(void) {
  constraint_handler_t data;
  /* Define what to do when error occurs */
  return data;
}

/* ... */

set_constraint_handler(handle_errors);

/* ... */

/* Returns zero on success */
errno_t function(char *dst1, size_t dst_size) {
  char src1[100] = "hello";

  strcpy_s(dst1, sizeof(dst1)dst_size, src1);
  /* 
   * At this point strcpy_s may have yielded an
   * error, and handle_errors() might have returned.
   */

  /* ... */
  return 0;
}

...

Code Block
bgColor#CCCCFF
langc
/*
 * The abort_handler_s() function writes 
 * a message on the standard error stream and
 * then calls the abort() function.
 */
set_constraint_handler(abort_handler_s);

/* ... */

/* Returns zero on success */
errno_t function(char *dst1, size_t dst_size) {
  char src1[100] = "hello";

  strcpy_s(dst1, sizeof(dst1)dst_size, src1);
  /*
   * Because abort_handler_s() never returns,
   * we get here only if strcpy_s() succeeds.
   */

  /* ... */
  return 0;
}

...

The risk in using in-band error indicators is difficult to quantify and is consequently given as low. However, if the use of in-band error indicators results in programmers' failing to check status codes or incorrectly checking them, the consequences can be more severe.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ERR02-C

Low

Unlikely

High

P1

L3

Automated Detection

Tool

Version

Checker

Description

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-ERR02-a

The input/output functions from the 'cstdio' and 'cwchar' libraries should not be used

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID ERR02-CPP. Avoid in-band error indicators

Bibliography

[Burch 2006]
 

[ISO/IEC 9899:2011]
Section

Subclause 6.3.2, "Other Operands"
Annex K, "Bounds-checking Interfaces"

...


...

Image Modified Image Modified Image Modified