...
The ungetc() function does not set the error indicator even when it fails, so it is not possible to check for errors reliably unless it is known that the argument is not equal to EOF.
The C Standard 7.31.3.10 paragraph 3 [ISO/IEC 9899:20112024] states that "one
)ne wide character of pushback is guaranteed...
," so this should not be an issue if, at most, one character is ever pushed back before reading again. (See FIO13-C. Never push back anything other than one read character.)
...
In this noncompliant code example, snprintf() is assumed to succeed. However, if the call fails (for example, because of insufficient memory, as described in GNU libc bug 441945), the subsequent call to log_message() has undefined behavior 174 because the character buffer is uninitialized and need not be null-terminated.
...
- that function cannot fail.
- its return value is inconsequential; that is, it does not indicate an error.
- it is one of a handful of functions whose return values are not traditionally checked.
These functions are listed in the following table:
Functions for which Return Values Need Not Be Checked
...
Failing to detect error conditions can lead to unpredictable results, including abnormal program termination and denial-of-service attacks or, in some situations, could even allow an attacker to run arbitrary code.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ERR33-C | High | Likely | Yes | YesMedium | P18P27 | L1 |
Automated Detection
Tool | Version | Checker | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| error-information-unused error-information-unused-computed | Partially checked | |||||||||
| Axivion Bauhaus Suite |
| CertC-ERR33 | ||||||||||
| CodeSonar |
| LANG.FUNCS.IRV | Ignored return value Missing Test of Error Code Non-zero Error Code | |||||||||
| Compass/ROSE | Can detect violations of this recommendation when checking for violations of EXP12-C. Do not ignore values returned by functions and EXP34-C. Do not dereference null pointers | |||||||||||
| Coverity |
| MISRA C 2012 Rule 22.8 MISRA C 2012 Rule 22.9 MISRA C 2012 Rule 22.10 | Implemented | |||||||||
| Cppcheck Premium |
| premium-cert-err33-c | ||||||||||
| Helix QAC |
| C3200 C++3802, C++3803, C++3804 DF2820, DF2821, DF2822, DF2823, DF2824, DF2930, DF2931, DF2932, DF2933, DF2934 | ||||||||||
| Klocwork |
| NPD.CHECK.MUST | ||||||||||
| LDRA tool suite |
| 80 D | Partially implemented | |||||||||
| Parasoft C/C++test |
| CERT_C-ERR33-a | bd | de | The value returned by a standard library function that may return an error should be used | The standard library functions for which return values need not be checked should be cast to 'void'Always check the returned value of non-void function | ||||||
| Parasoft Insure++ | Runtime analysis | |||||||||||
| PC-lint Plus |
| 534 | Partially supported | |||||||||
| Checks for:
Rule partially covered. | |||||||||||
| RuleChecker |
| error-information-unused | Partially checked | |||||||||
| TrustInSoft Analyzer |
| pointer arithmetic | Exhaustively verified. |
Related Vulnerabilities
The vulnerability in Adobe Flash [VU#159523] arises because Flash neglects to check the return value from calloc(). Even when calloc() returns a null pointer, Flash writes to an offset from the return value. Dereferencing a null pointer usually results in a program crash, but dereferencing an offset from a null pointer allows an exploit to succeed without crashing the program.
...
| [DHS 2006] | Handle All Errors Safely |
| [Henricson 1997] | Recommendation 12.1, "Check for All Errors Reported from Functions" |
| [ISO/IEC 9899:20112024] | Subclause 7.2131.73.10, "The ungetc Function" |
| [VU#159523] |
...