SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version Current

changes.mady.by.user Aleksandr Karbyshev

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added Axivion Bauhaus entry to Automated Detection table

...

C11 Annex K  introduced the new type errno_t that is defined to be type int in errno.h and elsewhere. Many of the functions defined in C11 Annex K return values of this type [ISO/IEC 9899:2011]. The errno_t type should be used as the type of an object that may contain only values that might be found in errno. For example, a function that returns the value of errno should be declared as having the return type errno_t.

This recommendation depends on C11 Annex K being implemented.   The following code can be added to remove this dependency:


Code Block
languagecpp
#ifndef __STDC_LIB_EXT1__
  typedef int errno_t;
#endif
 

Noncompliant Code Example
...
This noncompliant code example nevertheless complies with ERR30-C.  Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failureTake care when reading errno.
Compliant Solution (POSIX)
...
 Code Block
bgColor#ccccff
langc
#define __STDC_WANT_LIB_EXT1__ 1
 
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
    
enum { NO_FILE_POS_VALUES = 3 };

errno_t opener(
  FILE *file,
  size_t *width,
  size_t *height,
  size_t *data_offset
) {
  size_t file_w;
  size_t file_h;
  size_t file_o;
  fpos_t offset;

  if (NULL == file) { return EINVAL; }
  errno = 0;
  if (fgetpos(file, &offset) != 0 ) { return errno; }
  if (fscanf(file, "%zu %zu %zu", &file_w, &file_h, &file_o)
        != NO_FILE_POS_VALUES) {
    return EIO;
  }

  errno = 0;
  if (fsetpos(file, &offset) != 0 ) { return errno; }

  if (width != NULL) { *width = file_w; }
  if (height != NULL) { *height = file_h; }
  if (data_offset != NULL) { *data_offset = file_o; }

  return 0;
}

This compliant solution is categorized as a POSIX solution because it returns EINVAL and EIO , which are defined by POSIX (IEEE Std 1003.1, 2013 Edition) but not by the C Standard.
...
Failing to test for error conditions can lead to vulnerabilities of varying severity. Declaring functions that return an errno with a return type of errno_t will not eliminate this problem but may reduce errors caused by programmers' misunderstanding the purpose of a return value.
Recommendation
Severity
Likelihood
Remediation Cost
Priority
Level
DCL09-C
low
Low
unlikely
Unlikely
low
Low
P3
L3
Automated Detection
Tool
Version
Checker
Description
Axivion Bauhaus Suite
 Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V
CertC-DCL09
LDRA tool suite
 
 Include Page
LDRA_V
LDRA_V
634 SPartially Implemented
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ 
 Secure 
 Coding StandardVOID DCL09-CPP. Declare functions that return errno with a return type of errno_t
ISO/IEC 9899:2011K.3.2 "Errors <errno.h>"
ISO/IEC TR 24772:2013Ignored Error Status and Unhandled Exceptions [OYB]
MISRA C:2012Directive 1.1 (required)
Bibliography
[Open Group 2004]
 
Image Removed Image Removed Image Removed
 
Bibliography
[IEEE Std 1003.1:2013]

...
Image Added Image Added Image Added