If control reaches the closing curly brace (}) of a non-void function without evaluating a return statement, using the return value of the function call is undefined behavior. (see See undefined behavior 88.).
Noncompliant Code Example
...
This error is frequently diagnosed by compilers. (see See MSC00-C. Compile cleanly at high warning levels.).
Compliant Solution
This compliant solution ensures that the checkpass() function always returns a value:
...
| Code Block |
|---|
example.c: In function 'getlen':
example.c:12: warning: control reaches end of non-void function
|
...
This compliant solution changes the interface of getlen() to store the result in a user-provided pointer and return returns a status indicator to report success or failure. The best method for handling this type of error is specific to the application and the type of error. (see See ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy for more on error handling.).
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stddef.h>
int getlen(const int *input, size_t maxlen, int delim,
size_t *result) {
if (result == NULL) {
return -1;
}
for (size_t i = 0; i < maxlen; ++i) {
if (input[i] == delim) {
*result = i;
return 0;
}
}
return -1;
}
void func(int userdata) {
size_t i;
int data[] = {1, 1, 1};
if (getlen(data, sizeof(data), 0, &i) != 0) {
/* Handle error */
} else {
data[i] = userdata;
}
}
|
...
MSC37-C-EX1: According to the C Standard, 5.1.2.23.34, paragraph 1 [ISO/IEC 9899:20112024], "Reaching the } that terminates the main function returns a value of 0." As a result, it is permissible for control to reach the end of the main() function without executing a return statement.
...
Using the return value from a non-void function where control reaches the end of the function without evaluating a return statement can lead to buffer overflow vulnerabilities as well as other unexpected program behaviors.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC37-C | High | Unlikely | Low | P9 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| return-implicit | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-MSC37 | |||||||
| CodeSonar |
| LANG.STRUCT.MRS | Missing return statement | ||||||
| Coverity |
| MISSING_RETURN | Implemented | ||||||
| Cppcheck |
| missingReturn | Fully implemented | ||||||
| Cppcheck Premium |
| missingReturn | Fully implemented | ||||||
| Helix QAC |
| C++4022 DF2888 | |||||||
| Klocwork |
| FUNCRET.GEN FUNCRET.IMPLICIT | |||||||
| LDRA tool suite |
| 2 D, 36 S, 66 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-MSC37-a | All exit paths from a function, except main(), with non-void return type shall have an explicit return statement with an expression | |||||||
| PC-lint Plus |
| 533 | Fully supported |
| Polyspace Bug Finder |
Function does not return value though return type is not void
| CERT C: Rule MSC37-C | Checks for missing return statement (rule fully covered) | |||||||
| RuleChecker |
| return-implicit | Fully checked |
| SonarQube C/C++ Plugin |
| S935 |
| TrustInSoft Analyzer |
| Body of function falls-through | Exhaustively verified. |
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | MSC01-C. Strive for logical completeness | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-758 | 2017-07-07: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-758 and MSC37-C
Independent( INT34-C, INT36-C, MEM30-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
CWE-758 = Union( MSC37-C, list) where list =
Undefined behavior that results from anything other than failing to return a value from a function that expects one
Bibliography
...
...