...
A nested call to an exit function is undefined behavior. (see See undefined behavior 182187.) . This behavior can occur only when an exit function is invoked from an exit handler or when an exit function is called from within a signal handler. (see See SIG30-C. Call only asynchronous-safe functions within signal handlers.).
If a call to the longjmp() function is made that would terminate the call to a function registered with atexit(), the behavior is undefined behavior 187.
Noncompliant Code Example
In this noncompliant code example, the exit1() and exit2() functions are registered by atexit() to perform required cleanup upon program termination. However, if some_condition evaluates to true, exit() is called a second time, resulting in undefined behavior 187.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
void exit1(void) {
/* ... Cleanup code ... */
return;
}
void exit2(void) {
extern int some_condition;
if (some_condition) {
/* ... More cleanup code ... */
exit(0);
}
return;
}
int main(void) {
if (atexit(exit1) != 0) {
/* Handle error */
}
if (atexit(exit2) != 0) {
/* Handle error */
}
/* ... Program code ... */
return 0;
}
|
...
Terminating a call to an exit handler in any way other than by returning is undefined behavior and may result in abnormal program termination or other unpredictable behavior. It may also prevent other registered handlers from being invoked.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level | |
|---|---|---|---|
ENV32-C | Medium | Likely | Yes |
No | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| user_defined bad-function bad-function-use | Soundly supported | ||||||
| Axivion Bauhaus Suite |
| CertC-ENV32 | |||||||
| CodeSonar |
| BADFUNC.ABORT | Use of abort | ||||||
| Compass/ROSE |
Can detect violations of this rule. In particular, it ensures that all functions registered with | |||||||||
| Cppcheck Premium | 24.9.0 | premium-cert-env32-c | |||||||
| Helix QAC |
| DF4856, DF4857, DF4858 | |||||||
| Klocwork |
| CERT.EXIT.HANDLER_TERMINATE | |||||||
| LDRA tool suite |
| 122 S 7 S | Enhanced enforcement | ||||||
| Parasoft C/C++test |
| CERT_C-ENV32-a | Properly define exit handlers | ||||||
| CERT C: Rule ENV32-C | Checks for abnormal termination of exit handler (rule fully covered) | |||||||
| RuleChecker |
| bad-function bad-function-use | Supported |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | SIG30-C. Call only asynchronous-safe functions within signal handlers | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Structured Programming [EWD] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Termination Strategy [REU] |
| Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CWE 2.11 | CWE-705, Incorrect Control Flow Scoping |
...
| 2017-07-10: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-705 and ENV32-C
CWE-705 = Union( ENV32-C, list) where list =
- Improper control flow besides a non-returning exit handler
...