SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Many functions return useful values whether or not the function has side effects. In most cases, this value is used to signify whether the function successfully completed its task or if some error occurred (see ERR02-A. Avoid in-band error indicators). Other times, the value is the result of some computation and is a necessary output.

Section 6.8.3 of C99 [[ISO/IEC 9899:1999]] states that

The expression in an expression statement is evaluated as a void expression for its side effects.

All expression statements, such as function calls with an ignored value, are implicitly cast to void. Since a return value often contains important information about possible errors, it should always be checked; otherwise, the cast should be made explicit to signify programmer intent. If a function returns no meaningful value, it should be declared with return type void.

This recommendation encompasses MEM32-C. Detect and handle memory allocation errors, FIO04-A. Detect and handle input and output errors, and FIO34-C. Use int to capture the return value of character IO functions.

Non-Compliant Code Example

This non-compliant code example calls puts() and fails to check whether a write error occurs.

puts("foo");

However, puts() can fail and return EOF. If the output were determined to be critical, then the return value should have been checked.

Compliant Solution

This compliant solution checks to make sure no output error occurred (see FIO04-A. Detect and handle input and output errors).

if (puts("foo") == EOF) {
  /* Handle Error */
}

Exceptions

EXP12-EX1: If the return value is inconsequential or if any errors can be safely ignored, such as for functions called because of their side effects, the function should be explicitly cast to void to signify programmer intent. See the compliant solution for removing an existing destination file in FIO10-A. Take care when using the rename() function for an example of this exception.

EXP12-EX2: If a function cannot fail or if the return value cannot signify an error condition, the return value may be ignored. Such functions should be added to a white list when automatic checkers are used.

strcpy(dst, src);

Risk Assessment

Failure to handle error codes or other values returned by functions can lead to incorrect program flow and violations of data integrity.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP12-A

medium

unlikely

medium

P4

L3

Automated Detection

Splint Version 3.1.1 can detect violations of this recommendation.

Compass/ROSE can detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899:1999]] Section 6.8.3, "Expression and null statements"
[[ISO/IEC PDTR 24772]] "CSJ Passing Parameters and Return Values"

EXP11-A. Do not apply operators expecting one type to data of an incompatible type      03. Expressions (EXP)       EXP30-C. Do not depend on order of evaluation between sequence points

  • No labels