CWE-253 对函数返回值的检查不正确
Incorrect Check of Function Return Value
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: Low
基本描述
The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions.
扩展描述
Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 573 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 754 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Availability', 'Integrity'] | ['Unexpected State', 'DoS: Crash, Exit, or Restart'] | An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors. |
可能的缓解方案
Architecture and Design
策略: Language Selection
Use a language or compiler that uses exceptions and requires the catching of those exceptions.
Implementation
策略:
Properly check all functions which return a value.
Implementation
策略:
When designing any function make sure you return a value or throw an exception in case of an error.
示例代码
例
This code attempts to allocate memory for 4 integers and checks if the allocation succeeds.
bad C
if (tmp < 0 ) {
//should have checked if the call returned 0
The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Misinterpreted function return value | ||
| Software Fault Patterns | SFP4 | Unchecked Status Condition | |
| CERT C Secure Coding | ERR33-C | Imprecise | Detect and handle standard library errors |
| CERT C Secure Coding | POS54-C | Imprecise | Detect and handle POSIX library errors |