TR24731-1 provides a mechanism to handle violations of constraints that may only be discerned at runtime. Section 6.1.4 states:
1 Most functions in this technical report include as part of their specification a list of runtime-constraints. These runtime-constraints are requirements on the program using the library.
and
4 The runtime-constraint handler might not return. If the handler does return, the library function whose runtime-constraint was violated shall return some indication of failure as given by the returns section in the function's specification.
These runtime constraint handlers mitigate some of the potential insecurity cuased by in-band error indicators. See ERR02-A. Avoid in-band error indicators
Non-Compliant Code Example
In this non-compliant example no set_constraint_handler_s() has been called so the implementation defined default handler will be called on a run-time error. This will result in inconsistent behavior across implementations and possible termination of the program instead of a graceful exit.
errno_t function( char* dst1){ char src1[100] = "hello"; if (strcpy_s( dst1, sizeof(dst1), src1) != 0) { return -1; } /* ... */ return 0; }
Compliant Code Example (TR24731-1)
constraint_handler_t handle_errors() { /* define what to do when error occurs */ } /*...*/ set_constraint_handler(handle_errors); /*...*/ /* Returns zero on success */ errno_t function(char* dst1){ char src1[100] = "hello"; if (strcpy_s( dst1, sizeof(dst1), src1) != 0) { return -1; } /* ... */ return 0; }
Compliant Code Example (Visual Studio2008/.NET Framework 3.5)
_invalid_parameter_handler handle_errors(const wchar_t* expression, const wchar_t* function, const wchar_t* file, unsigned int line, uintptr_t pReserved) { /*define what to do when error occurs*/ } /*...*/ _set_invalid_parameter_handler(handle_errors) /*...*/ errno_t function(char *dst1){ char src1[100] = "hello"; if (strcpy_s( dst1, sizeof(dst1), src1) != 0) { return -1; } /* ... */ return 0; }
Risk Analysis
The TR24731-1 standard indicates that if no constraint handler is set, a default one executes when errors arise. The default handler is implementation-defined and "may cause the program to exit or abort". Therefore using constraint handlers prevents a program from immediately crashing.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ERR03-A |
low |
unlikely |
low |
P3 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
ERR02-A. Avoid in-band error indicators 13. Error Handling (ERR) ERR30-C. Set errno to zero before calling a function, and use it only after the function returns a value indicating failure