 
                            Redundant testing by caller and by callee as a style of defensive programming is largely discredited in the C and C++ communities, the main problem being performance. The usual discipline in C and C++ is to require validation on only one side of each interface.
Requiring the caller to validate arguments can result in faster code because the caller may understand certain invariants that prevent invalid values from being passed. Requiring the callee to validate arguments allows the validation code to be encapsulated in one location, reducing the size of the code and making it more likely that these checks are performed in a consistent and correct fashion.
For safety and security reasons, this standard recommends that the called function validate When writing a library, each exposed functions should perform a validity check on its parameters. Validity checks allow the library function to survive at least some forms of improper usage, enabling an application using the library function to likewise survive and often simplifies . Validity checks can also simplify the task of determining the condition that caused the illegal invalid parameter.
Non-Compliant Coding Example
For these examples, a library exposes an API as follows.
Noncompliant Code Example
In this noncompliant code example, setfile() and usefile() do not validate their parameters. It is possible that an invalid file pointer can be used by the library, corrupting the library's internal state and exposing a vulnerability.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| /* Sets | ||||
| Code Block | ||||
| /* sets some internal state in the library */ extern int setfile(FILE *file); /* performsPerforms some action using the file passed earlier */ extern int usefile(); | 
In this non-compliant example, setfile and usefile do not validate their parameters. It is possible that an invalid file pointer may be used by the library, possibly corrupting the library's internal state and exposing a vulnerability.
| Code Block | ||
|---|---|---|
| 
 | ||
| static FILE *myFile; intvoid setfile(FILE *file) { myFile = file; return 0; } intvoid usefile(void) { /* performPerform some action here */ return 0; } | 
The vulnerability is can be more severe if the internal state references sensitive or system-critical data.
Compliant Solution
Validating the function parameters and verifying the internal state leads to consistency of program execution and may eliminate potential vulnerabilities, presuming the application using the library properly uses the library. In addition, implementing commit or rollback semantics (leaving program state unchanged on error) is a desirable practice for error safety.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| /* Sets some internal state in the library */ extern errno_t setfile(FILE *file); /* Performs some action using the file passed earlier */ extern errno_t usefile(void); static FILE *myFile; interrno_t setfile(FILE *file) { if (file && !ferror(file) && !feof(file)) { myFile = file; return 0; } /* Error safety: leave myFile =unchanged NULL;*/ return -1; } interrno_t usefile(void) { if (!myFile) return -1; /* perform * Perform other checks if needed,; return * error condition. */ /* performPerform some action here */ return 0; } | 
Risk Assessment
The most likely result of ignoring this recommendation is Failing to validate the parameters in library functions may result in an access violation or a data integrity violation. Such a scenario is indicative of scenario indicates a flaw in how the manner in which the library is used by the calling code. However, it the library itself may still be the library itself that is the vector by which the calling code's vulnerability is exploited.
| Recommendation | Severity | Likelihood | 
|---|
| Detectable | Repairable | Priority | Level | 
|---|
MSCxx-A
1 (low)
1 (unlikely)
1 (low)
P1
L3
References
| API00-C | Medium | Unlikely | No | No | P2 | L3 | 
|---|
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée | 
 | Supported | |||||||
| CodeSonar | 
 | LANG.STRUCT.UPD | Unchecked parameter dereference | ||||||
| Parasoft C/C++test | 
 | CERT_C-API00-a | The validity of parameters must be checked inside each function | ||||||
| PC-lint Plus | 
 | 413, 613, 668 | Partially supported: reports use of null pointers including function parameters which are assumed to have the potential to be null | ||||||
| PVS-Studio | 
 | V781, V1111 | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
| Taxonomy | Taxonomy item | Relationship | 
|---|---|---|
| CERT C | MSC08-CPP. Functions should validate their parameters | Prior to 2018-01-12: CERT: Unspecified Relationship | 
| CWE 2.11 | CWE-20, Insufficient input validation | Prior to 2018-01-12: CERT: | 
| MITRE CWE | CWE-476 | Prior to 2018-01-12: | 
Bibliography
...
Apple, Inc. Secure Coding Guide: Application Interfaces That Enhance Security. Retrieved Apr 26, 2007.