According to the C Standard Annex J.2 (133) [ISO/IEC 9899:20112024], the behavior of a program is undefined when
...
A signal handler is allowed to call signal()
, and ;
if that fails, signal()
returns SIG_ERR
and sets errno
to a positive value. However, if the event that caused a signal was external (not the result of the program calling abort()
or raise()
), the only functions the signal handler may call are _Exit()
or abort()
, or it may call signal()
on the signal currently being handled, and ; if signal()
fails, the value of errno
is indeterminate.
...
POSIX is less restrictive than C about what applications can do in signal handlers. It has a long list of asynchronous-safe functions that can be called. (see See SIG30-C. Call only asynchronous-safe functions within signal handlers.) . Many of these functions set errno
on error, which can lead to a signal handler being executed between a call to a failed function and the subsequent inspection of errno
. Consequently, the value inspected is not the one set by that function but the one set by a function call in the signal handler. POSIX applications can avoid this problem by ensuring that signal handlers containing code that might alter errno
; always save the value of errno
on entry and restore it before returning.
The signal handler in this noncompliant code example alters the value of errno
, and as . As a result, it can cause incorrect error handling if executed between a failed function call and the subsequent inspection of errno
:
...
Referencing indeterminate values of errno
is undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ERR32-C | Low | Unlikely | Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| chained-errno-function-calls errno-test-after-wrong-call | Supported | ||||||
Axivion Bauhaus Suite |
| CertC-ERR32 | |||||||
Compass/ROSE |
Could detect violations of this rule by looking for signal handlers that themselves call | |||||||||
Coverity |
| MISRA C 2012 Rule 22.8 MISRA C 2012 Rule 22.9 MISRA C 2012 Rule 22.10 | Implemented | ||||||
Cppcheck Premium |
| premium-cert-err32-c | Partially implemented | ||||||
Helix QAC |
| C2031 DF4781, DF4782, DF4783 | |||||||
Klocwork |
| MISRA.INCL.SIGNAL.2012 | |||||||
LDRA tool suite |
| 44 S | Enhanced enforcement | ||||||
Parasoft C/C++test |
| CERT_C-ERR32-a | Properly use errno value | ||||||
| CERT C: Rule ERR32-C | Checks for misuse of errno in a signal handler (rule fully covered) | |||||||
RuleChecker |
| chained-errno-function-calls errno-test-after-wrong-call | Supported |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | SIG30-C. Call only asynchronous-safe functions within signal handlers | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT C Secure Coding Standard | SIG31-C. Do not access shared objects in signal handlers | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
...
...